Checking Robustness Between Weak Transactional Consistency Models
CChecking Robustness Between WeakTransactional Consistency Models ⋆ Sidi Mohamed Beillahi ( (cid:66) ) , Ahmed Bouajjani, and Constantin Enea Universit´e de Paris, IRIF, CNRS, Paris, France, { beillahi,abou,cenea } @irif.fr Abstract.
Concurrent accesses to databases are typically encapsulatedin transactions in order to enable isolation from other concurrent compu-tations and resilience to failures. Modern databases provide transactionswith various semantics corresponding to different trade-offs between con-sistency and availability. Since a weaker consistency model provides bet-ter performance, an important issue is investigating the weakest level ofconsistency needed by a given program (to satisfy its specification). Asa way of dealing with this issue, we investigate the problem of checkingwhether a given program has the same set of behaviors when replacinga consistency model with a weaker one. This property known as robust-ness generally implies that any specification of the program is preservedwhen weakening the consistency. We focus on the robustness problemfor consistency models which are weaker than standard serializability,namely, causal consistency, prefix consistency, and snapshot isolation.We show that checking robustness between these models is polynomialtime reducible to a state reachability problem under serializability. Weuse this reduction to also derive a pragmatic proof technique based onLipton’s reduction theory that allows to prove programs robust. We haveapplied our techniques to several challenging applications drawn from theliterature of distributed systems and databases.
Keywords:
Transactional databases · Weak consistency · Program verification
Concurrent accesses to databases are typically encapsulated in transactions in or-der to enable isolation from other concurrent computations and resilience to fail-ures. Modern databases provide transactions with various semantics correspond-ing to different tradeoffs between consistency and availability. The strongestconsistency level is achieved with serializable transactions [41] whose outcomein concurrent executions is the same as if the transactions were executed atom-ically in some order. Since serializability (
SER ) carries a significant penalty onavailability, modern databases often provide weaker consistency models, e.g.,causal consistency ( CC ) [37], prefix consistency ( PC ) [21, 24], and snapshot iso-lation ( SI ) [11]. Causal consistency requires that if a transaction 𝑡 “affects” ⋆ This work is supported in part by the European Research Council (ERC) under theEuropean Union’s Horizon 2020 research and innovation programme (grant agree-ment No 678177). a r X i v : . [ c s . P L ] J a n S.M. Beillahi, A. Bouajjani, and C. Enea. another transaction 𝑡 , e.g., 𝑡 executes before 𝑡 in the same session or 𝑡 readsa value written by 𝑡 , then the updates in these two transactions are observedby any other transaction in this order. Concurrent transactions, which are notcausally related to each other, can be observed in different orders, leading tobehaviors that are not possible under SER . Prefix consistency requires that thereis a total commit order between all the transactions such that each transactionobserves all the updates in a prefix of this sequence ( PC is stronger than CC ).Two transactions can observe the same prefix, which leads to behaviors thatare not admitted by SER . Snapshot isolation further requires that two differenttransactions observe different prefixes if they both write to a common variable.Since a weaker consistency model provides better performance, an importantissue is identifying the weakest level of consistency needed by a program (to sat-isfy its specification). One way to tackle this issue is checking whether a program 𝑃 designed under a consistency model 𝑆 has the same behaviors when run undera weaker consistency model 𝑊 . This property of a program is generally knownas robustness against substituting 𝑆 with 𝑊 . It implies that any specification of 𝑃 is preserved when weakening the consistency model (from 𝑆 to 𝑊 ). Preservingany specification is convenient since specifications are rarely present in practice.The problem of checking robustness for a given program has been investi-gated in several recent works, but only when the stronger model ( 𝑆 ) is SER ,e.g., [9, 10, 12, 18, 25, 39], or sequential consistency in the non-transactionalcase, e.g. [14, 28, 35]. However, there is a large class of specifications that canbe implemented even in the presence of “anomalies”, i.e., behaviors which arenot admitted under
SER (see [45] for a discussion). In this context, an impor-tant question is whether a certain implementation (program) is robust againstsubstituting a weak consistency model, e.g., SI , with a weaker one, e.g., CC .In this paper, we consider the sequence of increasingly strong consistencymodels mentioned above, CC , PC , and SI , and investigate the problem of checkingrobustness for a given program against weakening the consistency model to onein this range. We study the asymptotic complexity of this problem and proposeeffective techniques for establishing robustness based on abstraction. There aretwo important cases to consider: robustness against substituting SI with PC and PC with CC , respectively. Robustness against substituting SI with CC can beobtained as the conjunction of these two cases.In the first case ( SI vs PC ), checking robustness for a program 𝑃 is reduced toa reachability (assertion checking) problem in a composition of 𝑃 under PC witha monitor that checks whether a PC behavior is an “anomaly”, i.e., admitted by 𝑃 under PC , but not under SI . This approach raises two non-trivial challenges:(1) defining a monitor for detecting PC vs SI anomalies that uses a minimalamount of auxiliary memory (to remember past events), and (2) determiningthe complexity of checking if the composition of 𝑃 with the monitor reachesa specific control location under the (weaker) model PC . Interestingly enough,we address these two challenges by studying the relationship between these twoweak consistency models, PC and SI , and serializability . The construction of the We assume that the monitor goes to an error location when detecting an anomaly.hecking Robustness Between Weak Transactional Consistency Models 3 monitor is based on the fact that the PC vs SI anomalies can be defined asroughly, the difference between the PC vs SER and SI vs SER anomalies (investi-gated in previous work [12]), and we show that the reachability problem under PC can be reduced to a reachability problem under SER . These results lead to apolynomial-time reduction of this robustness problem (for arbitrary programs)to a reachability problem under
SER , which is important from a practical pointof view since the
SER semantics (as opposed to the PC or SI semantics) canbe encoded easily in existing verification tools (using locks to guard the isola-tion of transactions). These results also enable a precise characterization of thecomplexity class of this problem.Checking robustness against substituting PC with CC is reduced to the prob-lem of checking robustness against substituting SER with CC . The latter has beenshown to be polynomial-time reducible to reachability under SER in [10]. Thissurprising result relies on the reduction from PC reachability to SER reachabilitymentioned above. This reduction shows that a given program 𝑃 reaches a cer-tain control location under PC iff a transformed program 𝑃 ′ , where essentially,each transaction is split in two parts, one part containing all the reads, and onepart containing all the writes, reaches the same control location under SER . Sincethis reduction preserves the structure of the program, CC vs PC anomalies of aprogram 𝑃 correspond to CC vs SER anomalies of the transformed program 𝑃 ′ .Beyond enabling these reductions, the characterization of classes of anomaliesor the reduction from the PC semantics to the SER semantics are also importantfor a better understanding of these weak consistency models and the differencesbetween them. We believe that these results can find applications beyond ro-bustness checking, e.g., verifying conformance to given specifications.As a more pragmatic approach for establishing robustness, which avoids anon-reachability proof under
SER , we have introduced a proof methodology thatbuilds on Lipton’s reduction theory [38] and the concept of commutativity de-pendency graph introduced in [9], which represents mover type dependenciesbetween the transactions in a program. We give sufficient conditions for robust-ness in all the cases mentioned above, which characterize the commutativitydependency graph associated to a given program.We tested the applicability of these verification techniques on a benchmarkcontaining seven challenging applications extracted from previous work [18, 29,33]. These techniques are precise enough for proving or disproving the robustnessof all these applications, for all combinations of the consistency models.
We give an overview of the robustness problems investigated in this paper, dis-cussing first the case PC vs. CC , and then SI vs PC . We end with an example thatillustrates the robustness checking technique based on commutativity arguments. Robustness PC vs CC . We illustrate the robustness against substituting PC with CC using the FusionTicket and the Twitter programs in Figure 1a and Figure 1c,respectively. FusionTicket manages tickets for a number of events, each eventbeing associated with a venue. Its state consists of a two-dimensional map that S.M. Beillahi, A. Bouajjani, and C. Enea. Process 1 CreateEvent(v, e1, 3): [ Tickets[v][e1] := 3 ] CountTickets(v): [ r := ∑︀ e Tickets[v][e] ] Process 2 CreateEvent(v, e2, 3): [ Tickets[v][e2] := 3 ] CountTickets(v): [ r := ∑︀ e Tickets[v][e] ] (a) FusionTicket. CreateEvent(v,e1,3)CountTickets(v) //r=3
CreateEvent(v,e2,3)CountTickets(v) //r=3
HB PO HB HB POHB (b) A CC trace of FusionTicket. Process 1 Register(u, p1): [ r := RegisteredUsers[u] assume r == 0 RegisteredUsers[u] := 1 Password[u] := p1 ] Process 2 Register(u, p2): [ r := RegisteredUsers[u] assume r == 0 RegisteredUsers[u] := 1 Password[u] := p2 ] (c) Twitter.
Register(u,p1) Register(u,p2)
HBHB (d) A CC and PC trace of Twit-ter. Process 1 RegisterRd(u, p1): [ r := RegisteredUsers[u] assume r == 0 ] RegisterWr(u, p1): [ RegisteredUsers[u] := 1 Password[u] := p1 ] Process 2 RegisterRd(u, p2): [ r := RegisteredUsers[u] assume r == 0 ] RegisterWr(u, p2): [ RegisteredUsers[u] := 1 Password[u] := p2 ] (e) Transformed Twitter.
RegisterRd(u,p1)RegisterWr(u,p1) RegisterRd(u,p2)RegisterWr(u,p2)
HBHB PO HBHB HB PO (f) A CC and SER trace of trans-formed Twitter. Process 1 PlaceBet(1,2): [ assume time < TIMEOUT Bets[1] := 2 ] Process 2 PlaceBet(2,3): [ assume time < TIMEOUT Bets[2] := 3 ] Process 3 SettleBet(): [Bets’ := Bets n := Bets’.Length assume time > TIMEOUT & n > 0 select i s.t. Bets’[i] ̸ = ⊥ return := Bets’[i] ] (g) Betting. PlaceBet(1,2) PlaceBet(2,3) SettleBet() // return=2
HB HB (h) A PC and SI trace of Betting. PlaceBet(1,2) SettleBet() PlaceBet(2,3) (i) Commutativity dependencygraph of Betting.
Fig. 1: Transactional programs and traces under different consistency models.stores the number of tickets for an event in a given venue ( 𝑟 is a local variable,and the assignment in CountTickets is interpreted as a read of the shared state).The program has two processes and each process contains two transactions. Thefirst transaction creates an event e in a venue v with a number of tickets n,and the second transaction computes the total number of tickets for all theevents in a venue v. A possible candidate for a specification of this program isthat the values computed in
CountTickets are monotonically increasing sinceeach such value is computed after creating a new event. Twitter provides atransaction for registering a new user with a given username and password, hecking Robustness Between Weak Transactional Consistency Models 5 which is executed by two parallel processes. Its state contains two maps thatrecord whether a given username has been registered (0 and 1 stand for non-registered and registered, respectively) and the password for a given username.Each transaction first checks whether a given username is free (see the assume statement). The intended specification is that the user must be registered withthe given password when the registration transaction succeeds.A program is robust against substituting PC with CC if its set of behaviorsunder the two models coincide. We model behaviors of a given program as traces ,which record standard control-flow and data-flow dependencies between trans-actions, e.g., the order between transactions in the same session and whethera transaction reads the value written by another (read-from). The transitiveclosure of the union of all these dependency relations is called happens-before .Figure 1b pictures a trace of FusionTicket where the concrete values which areread in a transaction are written under comments. In this trace, each processregisters a different event but in the same venue and with the same number oftickets, and it ignores the event created by the other process when computingthe sum of tickets in the venue.Figure 1b pictures a trace of FusionTicket under CC , which is a witnessthat FusionTicket is not robust against substituting PC with CC . This traceis also a violation of the intended specification since the number of tickets isnot increasing (the sum of tickets is 3 in both processes). The happens-beforedependencies (pictured with HB labeled edges) include the program-order PO (the order between transactions in the same process), and read-write depen-dencies, since an instance of CountTickets(v) does not observe the value writ-ten by the CreateEvent transaction in the other process (the latter overwritessome value that the former reads). This trace is allowed under CC because thetransaction CreateEvent(v, e1, 3) executes concurrently with the transactionCountTickets(v) in the other process, and similarly for CreateEvent(v, e2, 3).However, it is not allowed under PC since it is impossible to define a total com-mit order between CreateEvent(v, e1, 3) and CreateEvent(v, e2, 3) that justi-fies the reads of both CountTickets(v) transactions (these reads should cor-respond to the updates in a prefix of this order). For instance, assuming thatCreateEvent(v, e1, 3) commits before CreateEvent(v, e2, 3), CountTickets(v) inthe second process must observe the effect of CreateEvent(v, e1, 3) as well sinceit observes the effect of CreateEvent(v, e2, 3). However, this contradicts the factthat CountTickets(v) computes the sum of tickets as being 3.On the other hand, Twitter is robust against substituting PC with CC . Forinstance, Figure 1d pictures a trace of Twitter under CC , where the assume in both transactions pass. In this trace, the transactions Register(u,p1) andRegister(u,p2) execute concurrently and are unaware of each other’s writes (theyare not causally related). The HB dependencies include write-write dependenciessince both transactions write on the same location (we consider the transactionin Process 2 to be the last one writing to the Password map), and read-write de-pendencies since each transaction reads
RegisteredUsers that is written by theother. This trace is also allowed under PC since the commit order can be defined S.M. Beillahi, A. Bouajjani, and C. Enea. such that Register(u,p1) is ordered before Register(u,p2), and then both trans-actions read from the initial state (the empty prefix). Note that this trace has acyclic happens-before which means that it is not allowed under serializability.
Checking robustness PC vs CC . We reduce the problem of checking robustnessagainst substituting PC with CC to the robustness problem against substituting SER with CC (the latter reduces to a reachability problem under SER [10]). Thisreduction relies on a syntactic program transformation that rewrites PC behav-iors of a given program 𝑃 to SER behaviors of another program 𝑃 ′ . The program 𝑃 ′ is obtained by splitting each transaction 𝑡 of 𝑃 into two transactions: the firsttransaction performs all the reads in 𝑡 and the second performs all the writesin 𝑡 (the two are related by program order). Figure 1e shows this transforma-tion applied on Twitter. The trace in Figure 1f is a serializable execution ofthe transformed Twitter which is “observationally” equivalent to the trace inFigure 1d of the original Twitter, i.e., each read of the shared state returns thesame value and the writes on the shared state are applied in the same order(the acyclicity of the happens-before shows that this is a serializable trace). Thetransformed FusionTicket coincides with the original version because it containsno transaction that both reads and writes on the shared state.We show that PC behaviors and SER behaviors of the original and transformedprogram, respectively, are related by a bijection. In particular, we show that any PC vs. CC robustness violation of the original program manifests as a SER vs. CC robustness violation of the transformed program, and vice-versa. For instance,the CC trace of the original Twitter in Figure 1d corresponds to the CC trace ofthe transformed Twitter in Figure 1f, and the acyclicity of the latter (the factthat it is admitted by SER ) implies that the former is admitted by the originalTwitter under PC . On the other hand, the trace in Figure 1b is also a CC of thetransformed FusionTicket and its cyclicity implies that it is not admitted byFusionTicket under PC , and thus, it represents a robustness violation. Robustness SI vs PC . We illustrate the robustness against substituting SI with PC using Twitter and the Betting program in Figure 1g. Twitter is not robust against substituting SI with PC , the trace in Figure 1d being a witnessviolation. This trace is also a violation of the intended specification since one ofthe users registers a password that is overwritten in a concurrent transaction.This PC trace is not possible under SI because Register(u,p1) and Register(u,p2)observe the same prefix of the commit order (i.e., an empty prefix), but theywrite to a common memory location Password[u] which is not allowed under SI .On the other hand, the Betting program in Figure 1g, which manages a set ofbets, is robust against substituting SI with PC . The first two processes executeone transaction that places a bet of a value v with a unique bet identifier id,assuming that the bet expiration time is not yet reached (bets are recorded inthe map Bets ). The third process contains a single transaction that settles thebetting assuming that the bet expiration time was reached and at least one bethas been placed. This transaction starts by taking a snapshot of the
Bets mapinto a local variable
Bets’ , and then selects a random non-null value (differentfrom ⊥ ) in the map to correspond to the winning bet. The intended specification hecking Robustness Between Weak Transactional Consistency Models 7 of this program is that the winning bet corresponds to a genuine bet that wasplaced. Figure 1g pictures a PC trace of Betting where SettleBet observes only thebet of the first process PlaceBet(1,2). The HB dependency towards the secondprocess denotes a read-write dependency (SettleBet reads a cell of the map Bets which is overwritten by the second process). This trace is allowed under SI because no two transactions write to the same location. Checking robustness SI vs PC . We reduce robustness against substituting PC with CC to a reachability problem under SER . This reduction is based on acharacterization of happens-before cycles that are possible under PC but not SI ,and the transformation described above that allows to simulate the PC seman-tics of a program on top of SER . The former is used to define an instrumentation(monitor) for the transformed program that reaches an error state iff the orig-inal program is not robust. Therefore, we show that the happens-before cyclesin PC traces that are not admitted by SI must contain a transaction that (1)overwrites a value written by another transaction in the cycle and (2) reads avalue overwritten by another transaction in the cycle. For instance, the trace ofTwitter in Figure 1d is not allowed under SI because Register(u,p2) overwritesa value written by Register(u,p1) (the password) and reads a value overwrittenby Register(u,p1) (checking whether the username 𝑢 is registered). The trace ofBetting in Figure 1g is allowed under SI because its happens-before is acyclic. Checking robustness using commutativity arguments.
Based on the re-ductions above, we propose an approximated method for proving robustnessbased on the concept of mover in Lipton’s reduction theory [38]. A transactionis a left (resp., right) mover if it commutes to the left (resp., right) of anothertransaction (by a different process) while preserving the computation. We usethe notion of mover to characterize the data-flow dependencies in the happens-before. Roughly, there exists a data-flow dependency between two transactionsin some execution if one doesn’t commute to the left/right of the other one.We define a commutativity dependency graph which summarizes the happens-before dependencies in all executions of a transformed program (obtained bysplitting the transactions of the original program as explained above), and de-rive a proof method for robustness which inspects paths in this graph. Twotransactions 𝑡 and 𝑡 are linked by a directed edge iff 𝑡 cannot move to theright of 𝑡 (or 𝑡 cannot move to the left of 𝑡 ), or if they are related by theprogram order. Moreover, two transactions 𝑡 and 𝑡 are linked by an undirectededge iff they are the result of splitting the same transaction.A program is robust against substituting PC with CC if roughly, its commuta-tivity dependency graph does not contain a simple cycle of directed edges withtwo distinct transactions 𝑡 and 𝑡 , such that 𝑡 does not commute left becauseof another transaction 𝑡 in the cycle that reads a variable that 𝑡 writes to,and 𝑡 does not commute right because of another transaction 𝑡 in the cycle ( 𝑡 and 𝑡 can coincide) that writes to a variable that 𝑡 either reads from or writes Traces with an acyclic happens-before are not robustness violations because theyare admitted under serializability, which implies that they are admitted under theweaker model SI as well. S.M. Beillahi, A. Bouajjani, and C. Enea. ⟨ prog ⟩ ::= program ⟨ process ⟩ * ⟨ process ⟩ ::= process ⟨ pid ⟩ regs ⟨ reg ⟩ * ⟨ txn ⟩ * ⟨ txn ⟩ ::= begin ⟨ read ⟩ * ⟨ test ⟩ * ⟨ write ⟩ * commit ⟨ read ⟩ ::= ⟨ label ⟩ : ⟨ reg ⟩ := ⟨ var ⟩ ; goto ⟨ label ⟩ ; ⟨ test ⟩ ::= ⟨ label ⟩ : assume ⟨ bexpr ⟩ ; goto ⟨ label ⟩ ; ⟨ write ⟩ ::= ⟨ label ⟩ : ⟨ var ⟩ := ⟨ reg-expr ⟩ ; goto ⟨ label ⟩ ; Fig. 2: The syntax of our programming language. 𝑎 * indicates zero or more oc-currences of 𝑎 . ⟨ 𝑝𝑖𝑑 ⟩ , ⟨ 𝑟𝑒𝑔 ⟩ , ⟨ 𝑙𝑎𝑏𝑒𝑙 ⟩ , and ⟨ 𝑣𝑎𝑟 ⟩ represent a process identifier, aregister, a label, and a shared variable, respectively. ⟨ 𝑟𝑒𝑔 - 𝑒𝑥𝑝𝑟 ⟩ is an expres-sion over registers while ⟨ 𝑏𝑒𝑥𝑝𝑟 ⟩ is a Boolean expression over registers, or thenon-deterministic choice * .to . For instance, Figure 1i shows the commutativity dependency graph of thetransformed Betting program, which coincides with the original Betting becausePlaceBet(1,2) and PlaceBet(2,3) are write-only transactions and SettleBet() isa read-only transaction. Both simple cycles in Figure 1i contain just two trans-actions and therefore do not meet the criterion above which requires at least 3transactions. Therefore, Betting is robust against substituting PC with CC .A program is robust against substituting SI with PC , if roughly, its commu-tativity dependency graph does not contain a simple cycle with two successivetransactions 𝑡 and 𝑡 that are linked by an undirected edge, such that 𝑡 doesnot commute left because of another transaction 𝑡 in the cycle that writes toa variable that 𝑡 writes to, and 𝑡 does not commute right because of anothertransaction 𝑡 in the cycle ( 𝑡 and 𝑡 can coincide) that writes to a variable that 𝑡 reads from . Betting is also robust against substituting SI with PC for thesame reason (simple cycles of size 2). Syntax.
We present our results in the context of the simple programming lan-guage, defined in Figure 2, where a program is a parallel composition of processes distinguished using a set of identifiers P . A process is a sequence of transactions and each transaction is a sequence of labeled instructions . A transaction startswith a begin instruction and finishes with a commit instruction. Instructions in-clude assignments to a process-local register from a set R or to a shared variable from a set V , or an assume . The assignments use values from a data domain D . An assignment to a register ⟨ 𝑟𝑒𝑔 ⟩ := ⟨ 𝑣𝑎𝑟 ⟩ is called a read of the shared-variable ⟨ 𝑣𝑎𝑟 ⟩ and an assignment to a shared variable ⟨ 𝑣𝑎𝑟 ⟩ := ⟨ 𝑟𝑒𝑔 ⟩ is called The transactions 𝑡 , 𝑡 , 𝑡 , and 𝑡 correspond to 𝑡 , 𝑡 𝑖 , 𝑡 𝑛 , and 𝑡 𝑖 +1 , respectively, inTheorem 6. The transactions 𝑡 , 𝑡 , 𝑡 , and 𝑡 correspond to 𝑡 , 𝑡 , 𝑡 𝑛 , and 𝑡 , respectively, inTheorem 7.hecking Robustness Between Weak Transactional Consistency Models 9 a write to the shared-variable ⟨ 𝑣𝑎𝑟 ⟩ . The assume ⟨ 𝑏𝑒𝑥𝑝𝑟 ⟩ blocks the process ifthe Boolean expression ⟨ 𝑏𝑒𝑥𝑝𝑟 ⟩ over registers is false. It can be used to modelconditionals. The goto statement transfers the control to the program location(instruction) specified by a given label. Since multiple instructions can have thesame label, goto statements can be used to mimic imperative constructs likeloops and conditionals inside transactions.We assume w.l.o.g. that every transaction is written as a sequence of reads or assume statements followed by a sequence of writes (a single goto statement fromthe sequence of read/ assume instructions transfers the control to the sequenceof writes). In the context of the consistency models we study in this paper, everyprogram can be equivalently rewritten as a set of transactions of this form.To simplify the technical exposition, programs contain a bounded number ofprocesses and each process executes a bounded number of transactions. A trans-action may execute an unbounded number of instructions but these instructionsconcern a bounded number of variables, which makes it impossible to model SQL(select/update) queries that may access tables with a statically unknown num-ber of rows. Our results can be extended beyond these restrictions as explainedin Remark 1 and Remark 2. Semantics.
We describe the semantics of a program under four consistencymodels, i.e., causal consistency ( CC ), prefix consistency ( PC ), snapshot isolation( SI ), and serializability ( SER ).In the semantics of a program under CC , shared variables are replicated acrosseach process, each process maintaining its own local valuation of these variables.During the execution of a transaction in a process, its writes are stored in a transaction log that can be accessed only by the process executing the transactionand that is broadcasted to all the other processes at the end of the transaction.To read a shared variable 𝑥 , a process 𝑝 first accesses its transaction log andtakes the last written value on 𝑥 , if any, and then its own valuation of theshared variable, if 𝑥 was not written during the current transaction. Transactionlogs are delivered to every process in an order consistent with the causal relationbetween transactions, i.e., the transitive closure of the union of the program order (the order in which transactions are executed by a process), and the read-from relation (a transaction 𝑡 reads-from a transaction 𝑡 iff 𝑡 reads a value thatwas written by 𝑡 ). When a process receives a transaction log, it immediatelyapplies it on its shared-variable valuation.In the semantics of a program under PC and SI , shared variables are storedin a central memory and each process keeps a local valuation of these variables.When a process starts a new transaction, it fetches a consistent snapshot of theshared variables from the central memory and stores it in its local valuationof these variables. During the execution of a transaction in a process, writesto shared variables are stored in the local valuation of these variables, and in atransaction log. To read a shared variable, a process takes its own valuation of theshared variable. A process commits a transaction by applying the updates in thetransaction log on the central memory in an atomic way (to make them visible We consider a variation known as causal convergence [15, 19]0 S.M. Beillahi, A. Bouajjani, and C. Enea. to all processes). Under SI , when a process applies the writes in a transactionlog on the central memory, it must ensure that there were no concurrent writesthat occurred after the last fetch from the central memory to a shared variablethat was written during the current transaction. Otherwise, the transaction isaborted and its effects discarded.In the semantics of a program under SER , we adopt a simple operationalmodel where we keep a single shared-variable valuation in a central memory(accessed by all processes) with the standard interpretation of read and writestatements. Transactions execute serially, one after another.We use a standard model of executions of a program called trace . A tracerepresents the order between transactions in the same process, and the data-flowin an execution using standard happens-before relations between transactions.We assume that each transaction in a program is identified uniquely using atransaction identifier from a set T . Also, f : T → S is a mapping that associateseach transaction in T with a sequence of read and write events from the set S = { re ( 𝑡, 𝑥, 𝑣 ) , we ( 𝑡, 𝑥, 𝑣 ) : 𝑡 ∈ T , 𝑥 ∈ V , 𝑣 ∈ D } where re ( 𝑡, 𝑥, 𝑣 ) is a read of 𝑥 returning 𝑣 , and we ( 𝑡, 𝑥, 𝑣 ) is a write of 𝑣 to 𝑥 . Definition 1. A trace is a tuple 𝜏 = ( 𝜌, f , TO , PO , WR , WW , RW ) where 𝜌 ⊆ T is a set of transaction identifiers, and – TO is a mapping giving the order between events in each transaction, i.e., itassociates each transaction 𝑡 in 𝜌 with a total order TO ( 𝑡 ) on f ( 𝑡 ) × f ( 𝑡 ) . – PO is the program order relation, a strict partial order on 𝜌 × 𝜌 that ordersevery two transactions issued by the same process. – WR is the read-from relation between distinct transactions ( 𝑡 , 𝑡 ∈ 𝜌 × 𝜌 representing the fact that 𝑡 reads a value written by 𝑡 . – WW is the store order relation on 𝜌 × 𝜌 between distinct transactions thatwrite to the same shared variable. – RW is the conflict order relation between distinct transactions, defined by RW = WR − ; WW ( ; denotes the sequential composition of two relations). For simplicity, for a trace 𝜏 = ( 𝜌, f , TO , PO , WR , WW , RW ), we write 𝑡 ∈ 𝜏 instead of 𝑡 ∈ 𝜌 . We also assume that each trace contains a fictitious transac-tion that writes the initial values of all shared variables, and which is orderedbefore any other transaction in program order. Also, T r X ( 𝒫 ) is the set of tracesrepresenting executions of program 𝒫 under a consistency model X .For each X ∈ { CC , PC , SI , SER } , the set of traces T r X ( 𝒫 ) can be described usingthe set of properties in Table 1. A trace 𝜏 is possible under causal consistency iffthere exist two relations CO a partial order (causal order) and ARB a total order(arbitration order) that includes CO , such that the properties AxCausal , AxArb ,and
AxRetVal hold [15, 26].
AxCausal guarantees that the program order andthe read-from relation are included in the causal order, and
AxArb guaranteesthat the causal order and the store order are included in the arbitration order.
AxRetVal guarantees that a read returns the value written by the last write in the hecking Robustness Between Weak Transactional Consistency Models 11
AxCausal CO +0 ⊆ COAxArb
ARB +0 ⊆ ARB
AxCC AxRetVal ∧ AxCausal ∧ AxArbAxPrefix
ARB ; CO ⊆ COAxPC AxPrefix ∧ AxCCAxConflict WW ⊆ COAxSI AxConflict ∧ AxPCAxSer AxRetVal ∧ AxCausal ∧ AxArb ∧ CO = ARB where CO = PO ∪ WR and ARB = PO ∪ WR ∪ WWAxRetVal = ∀ 𝑡 ∈ 𝜏. ∀ re ( 𝑡, 𝑥, 𝑣 ) ∈ f ( 𝑡 ) we have that – there exist a transaction 𝑡 = 𝑀𝑎𝑥
ARB ( { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } )and an event we ( 𝑡 , 𝑥, 𝑣 ) = 𝑀𝑎𝑥 TO ( 𝑡 ) ( { we ( 𝑡 , 𝑥, · ) ∈ f ( 𝑡 ) } ). Table 1: Declarative definitions of consistency models. For an order relation ≤ , 𝑎 = 𝑀 𝑎𝑥 ≤ ( 𝐴 ) iff 𝑎 ∈ 𝐴 ∧ ∀ 𝑏 ∈ 𝐴. 𝑏 ≤ 𝑎 .last transaction that contains a write to the same variable and that is orderedby CO before the read’s transaction. We use AxCC to denote the conjunctionof these three properties. A trace 𝜏 is possible under prefix consistency iff thereexist a causal order CO and an arbitration order ARB such that
AxCC holdsand the property
AxPrefix holds as well [26].
AxPrefix guarantees that everytransaction observes a prefix of transactions that are ordered by
ARB beforeit. We use
AxPC to denote the conjunction of
AxCC and
AxPrefix . A trace 𝜏 is possible under snapshot isolation iff there exist a causal order CO and anarbitration order ARB such that
AxPC holds and the property
AxConflict holds[26].
AxConflict guarantees that if two transactions write to the same variablethen one of them must observe the other. We use
AxSI to denote the conjunctionof
AxPC and
AxConflict . A trace 𝜏 is serializable iff there exist a causal order CO and an arbitration order ARB such that the property
AxSer holds which impliesthat the two relations CO and ARB coincide. Note that for any given program 𝒫 , T r SER ( 𝒫 ) ⊆ T r SI ( 𝒫 ) ⊆ T r PC ( 𝒫 ) ⊆ T r CC ( 𝒫 ). Also, the four consistency modelswe consider disallow anomalies such as dirty and phantom reads.For a given trace 𝜏 = ( 𝜌, f , TO , PO , WR , WW , RW ), the happens before orderis the transitive closure of the union of all the relations in the trace, i.e., HB =( PO ∪ WR ∪ WW ∪ RW ) + . A classic result states that a trace 𝜏 is serializableiff HB is acyclic [2, 46]. Note that HB is acyclic implies that WW is a totalorder between transactions that write to the same variable, and ( PO ∪ WR ) + and ( PO ∪ WR ∪ WW ) + are acyclic. In this work, we investigate the problem of checking whether a program 𝒫 undera semantics Y ∈ { PC , SI } produces the same set of traces as under a weakersemantics X ∈ { CC , PC } . When this holds, we say that 𝒫 is robust against X relative to Y . Definition 2.
A program 𝒫 is called robust against a semantics X ∈ { CC , PC , SI } relative to a semantics Y ∈ { PC , SI , SER } such that Y is stronger than X iff T r X ( 𝒫 ) = T r Y ( 𝒫 ) . If 𝒫 is not robust against X relative to Y then there must exist a trace 𝜏 ∈ T r X ( 𝒫 ) ∖ T r Y ( 𝒫 ). We say that 𝜏 is a robustness violation trace. [ 𝑥 := 1] 𝑡 [ 𝑟 𝑦 ] // 𝑡 [ 𝑦 := 1] 𝑡 [ 𝑟 𝑥 ] // 𝑡 PO RW PORW (a) Store Buffering ( SB ). [ 𝑟 𝑥 // 𝑥 := 𝑟 𝑡 [ 𝑟 𝑥 // 𝑥 := 𝑟 𝑡 WWRW (b) Lost Update ( LU ). [ 𝑟 𝑥 // 𝑦 := 1] 𝑡 [ 𝑟 𝑦 // 𝑥 := 1] 𝑡 RWRW (c) Write Skew (WS). [ 𝑥 := 1] 𝑡 [ 𝑦 := 1] 𝑡 [ 𝑟 𝑦 ] // 𝑡 [ 𝑟 𝑥 ] // 𝑡 PO WR POWR (d) Message Passing (MP).
Fig. 3: Litmus programsWe illustrate the notion of robustness onthe programs in Figure 3, which are commonlyused in the literature. In all programs, transac-tions of the same process are aligned verticallyand ordered from top to bottom. Each read in-struction is commented with the value it readsin some execution.The store buffering ( SB ) program in Figure3a contains four transactions that are issued bytwo distinct processes. We emphasize an execu-tion where 𝑡 reads 0 from 𝑦 and 𝑡 reads 0 from 𝑥 . This execution is allowed under CC since thetwo writes by 𝑡 and 𝑡 are not causally de-pendent. Thus, 𝑡 and 𝑡 are executed withoutseeing the writes from 𝑡 and 𝑡 , respectively.However, this execution is not feasible under PC (which implies that it is not feasible un-der both SI and SER ). In particular, we cannothave neither ( 𝑡 , 𝑡 ) ∈ ARB nor ( 𝑡 , 𝑡 ) ∈ ARB which contradicts the fact that
ARB is totalorder. For example, if ( 𝑡 , 𝑡 ) ∈ ARB , then( 𝑡 , 𝑡 ) ∈ CO (since ARB ; CO ⊂ CO ) whichcontradicts the fact that 𝑡 does not see 𝑡 .Similarly, ( 𝑡 , 𝑡 ) ∈ ARB implies that ( 𝑡 , 𝑡 ) ∈ CO which contradicts the fact that 𝑡 does not see 𝑡 . Thus, SB is not robustagainst CC relative to PC .The lost update ( LU ) program in Figure 3b has two transactions that areissued by two distinct processes. We highlight an execution where both transac-tions read 0 from 𝑥 . This execution is allowed under PC since both transactionsare not causally dependent and can be executed in parallel by the two processes.However, it is not allowed under SI since both transactions write to a commonvariable (i.e., 𝑥 ). Thus, they cannot be executed in parallel and one of themmust see the write of the other. Thus, SB is not robust against PC relative to SI .The write skew ( WS ) program in Figure 3c has two transactions that areissued by two distinct processes. We highlight an execution where 𝑡 reads 0from 𝑥 and 𝑡 reads 0 from 𝑦 . This execution is allowed under SI since bothtransactions are not causally dependent, do not write to a common variable,and can be executed in parallel by the two processes. However, this executionis not allowed under SER since one of the two transactions must see the write ofthe other. Thus, WS is not robust against SI relative to SER . hecking Robustness Between Weak Transactional Consistency Models 13 The message passing ( MP ) program in Figure 3d has four transactions issuedby two processes. Because 𝑡 and 𝑡 are causally dependent, under any semantics X ∈ { CC , PC , SI , SER } we only have three possible executions of MP , whichcorrespond to either 𝑡 and 𝑡 not observing the writes of 𝑡 and 𝑡 , or 𝑡 and 𝑡 observe the writes of both 𝑡 and 𝑡 , or 𝑡 observes the write of 𝑡 (we highlightthe values read in the second case in Figure 3d). Therefore, the executions ofthis program under the four consistency models coincide. Thus, MP is robustagainst CC relative to any other model. CC Relative to PC We show that checking robustness against CC relative to PC can be reduced tochecking robustness against CC relative to SER . The crux of this reduction is aprogram transformation that allows to simulate the PC semantics of a program 𝒫 using the SER semantics of a program 𝒫 ♣ . Checking robustness against CC relative to SER can be reduced in polynomial time to reachability under
SER [10].Given a program 𝒫 with a set of transactions Tr ( 𝒫 ), we define a program 𝒫 ♣ such that every transaction 𝑡 ∈ Tr ( 𝒫 ) is split into a transaction 𝑡 [ 𝑟 ] thatcontains all the read/ assume statements in 𝑡 (in the same order) and anothertransaction 𝑡 [ 𝑤 ] that contains all the write statements in 𝑡 (in the same order).In the following, we establish the following result: Theorem 1.
A program 𝒫 is robust against CC relative to PC iff 𝒫 ♣ is robustagainst CC relative to SER . Intuitively, under PC , processes can execute concurrent transactions that fetchthe same consistent snapshot of the shared variables from the central memoryand subsequently commit their writes. Decoupling the read part of a transactionfrom the write part allows to simulate such behaviors even under SER .The proof of this theorem relies on several intermediate results concerningthe relationship between traces of 𝒫 and 𝒫 ♣ . Let 𝜏 = ( 𝜌, PO , WR , WW , RW ) ∈ T r X ( 𝒫 ) be a trace of a program 𝒫 under a semantics X . We define the trace 𝜏 ♣ = ( 𝜌 ♣ , PO ♣ , WR ♣ , WW ♣ , RW ♣ ) where every transaction 𝑡 ∈ 𝜏 is split intotwo transactions 𝑡 [ 𝑟 ] ∈ 𝜏 ♣ and 𝑡 [ 𝑤 ] ∈ 𝜏 ♣ , and the dependency relations arestraightforward adaptations, i.e., – PO ♣ is the smallest transitive relation that includes ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) for every 𝑡 ,and ( 𝑡 [ 𝑤 ] , 𝑡 ′ [ 𝑟 ]) if ( 𝑡, 𝑡 ′ ) ∈ PO , – ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ WR ♣ , ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ WW ♣ , and ( 𝑡 ′ [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ RW ♣ if ( 𝑡 ′ , 𝑡 ) ∈ WR , ( 𝑡 ′ , 𝑡 ) ∈ WW , and ( 𝑡 ′ , 𝑡 ) ∈ RW , respectively. [ 𝑟 𝑥 ] // 𝑡 [ 𝑟 ] [ 𝑥 = 𝑟 𝑡 [ 𝑤 ] [ 𝑟 𝑥 ] // 𝑡 [ 𝑟 ] [ 𝑥 = 𝑟 𝑡 [ 𝑤 ] WWPO RWRW PO
Fig. 4: A trace of the transformedLU program ( LU ♣ ).For instance, Figure 4 pictures thetrace 𝜏 ♣ for the LU trace 𝜏 given in Figure3b. For traces 𝜏 of programs that containsingleton transactions, e.g., SB in Figure3a, 𝜏 ♣ coincides with 𝜏 .Conversely, for a given trace 𝜏 ♣ =( 𝜌 ♣ , PO ♣ , WR ♣ , WW ♣ , RW ♣ ) ∈ T r X ( 𝒫 ♣ ) of a program 𝒫 ♣ under a semantics X , we define the trace 𝜏 =( 𝜌, PO , WR , WW , RW ) where every two components 𝑡 [ 𝑟 ] and 𝑡 [ 𝑤 ] are merged intoa transaction 𝑡 ∈ 𝜏 . The dependency relations are defined in a straightforwardway, e.g., if ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ WW ♣ then ( 𝑡 ′ , 𝑡 ) ∈ WW .The following lemma shows that for any semantics X ∈ { CC , PC , SI } , if 𝜏 ∈ T r X ( 𝒫 ) for a program 𝒫 , then 𝜏 ♣ is a valid trace of 𝒫 ♣ under X , i.e., 𝜏 ♣ ∈ T r X ( 𝒫 ♣ ). Intuitively, this lemma shows that splitting transactions in atrace and defining dependency relations appropriately cannot introduce cyclesin these relations and preserves the validity of the different consistency axioms.The proof of this lemma relies on constructing a causal order CO ♣ and anarbitration order ARB ♣ for the trace 𝜏 ♣ starting from the analogous relationsin 𝜏 . In the case of CC , these are the smallest transitive relations such that: – PO ♣ ⊆ CO ♣ ⊆ ARB ♣ , and – if ( 𝑡 , 𝑡 ) ∈ CO then ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ , and if ( 𝑡 , 𝑡 ) ∈ ARB then( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ .For PC and SI , CO ♣ must additionally satisfy: if ( 𝑡 , 𝑡 ) ∈ ARB , then ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ . This is required in order to satisfy the axiom AxPrefix , i.e.,
ARB ♣ ; CO ♣ ⊂ CO ♣ , when ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ and ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ .This construction ensures that CO ♣ is a partial order and ARB ♣ is a totalorder because CO is a partial order and ARB is a total order. Also, based onthe above rules, we have that: if ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ then ( 𝑡 , 𝑡 ) ∈ CO , andsimilarly, if ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ then ( 𝑡 , 𝑡 ) ∈ ARB . Lemma 1. If 𝜏 ∈ T r X ( 𝒫 ) , then 𝜏 ♣ ∈ T r X ( 𝒫 ♣ ) . Before presenting a strengthening of Lemma 1 when X is CC , we give animportant characterization of CC traces. This characterization is stated in termsof acyclicity properties. Lemma 2. 𝜏 is a trace under CC iff ARB +0 and CO +0 ; RW are acyclic (ARB and CO are defined in Table 1). Next we show that a trace 𝜏 of a program 𝒫 is CC iff the corresponding trace 𝜏 ♣ of 𝒫 ♣ is CC as well. This result is based on the observation that cycles in ARB +0 or CO +0 ; RW cannot be broken by splitting transactions. Lemma 3.
A trace 𝜏 of 𝒫 is CC iff the corresponding trace 𝜏 ♣ of 𝒫 ♣ is CC . The following lemma shows that a trace 𝜏 is PC iff the corresponding trace 𝜏 ♣ is SER . The if direction in the proof is based on constructing a causal order CO and an arbitration order ARB for the trace 𝜏 from the arbitration order ARB ♣ in 𝜏 ♣ (since 𝜏 ♣ is a trace under serializability CO ♣ and ARB ♣ coincide). Theseare the smallest transitive relations such that: – if ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ then ( 𝑡 , 𝑡 ) ∈ CO , – if ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ ARB ♣ then ( 𝑡 , 𝑡 ) ∈ ARB . If 𝑡 [ 𝑤 ] is empty ( 𝑡 is read-only), then we set ( 𝑡 , 𝑡 ) ∈ ARB if ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ .If 𝑡 [ 𝑤 ] is empty, then ( 𝑡 , 𝑡 ) ∈ ARB if ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ . If both 𝑡 [ 𝑤 ] and 𝑡 [ 𝑤 ]are empty, then ( 𝑡 , 𝑡 ) ∈ ARB if ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ .hecking Robustness Between Weak Transactional Consistency Models 15 The only-if direction is based on the fact that any cycle in the dependencyrelations of 𝜏 that is admitted under PC (characterized in Lemma 7) is “broken”by splitting transactions. Also, splitting transactions cannot introduce new cyclesthat do not originate in 𝜏 . Lemma 4.
A trace 𝜏 is PC iff 𝜏 ♣ is SER
The lemmas above are used to prove Theorem 1 as follows:
Proof of Theorem 1: For the if direction, assume by contradiction that 𝒫 is notrobust against CC relative to PC . Then, there must exist a trace 𝜏 ∈ T r CC ( 𝒫 ) ∖ T r PC ( 𝒫 ). Lemmas 3 and 4 imply that the corresponding trace 𝜏 ♣ of 𝒫 ♣ is CC andnot SER . Thus, 𝒫 ♣ is not robust against CC relative to SER . The only-if directionis proved similarly. (cid:3)
Robustness against CC relative to SER has been shown to be reducible inpolynomial time to the reachability problem under
SER [10]. Given a program 𝒫 and a control location ℓ , the reachability problem under SER asks whether thereexists an execution of 𝒫 under SER that reaches ℓ . Therefore, as a corollary ofTheorem 1, we obtain the following: Corollary 1.
Checking robustness against CC relative to PC is reducible to thereachability problem under SER in polynomial time.
In the following we discuss the complexity of this problem in the case of finite-state programs (bounded data domain). The upper bound follows from Corol-lary 1 and standard results about the complexity of the reachability problemunder sequential consistency, which extend to
SER , with a bounded [34] or para-metric number of processes [44]. For the lower bound, given an instance ( 𝒫 , ℓ )of the reachability problem under sequential consistency, we construct a pro-gram 𝒫 ′ where each statement 𝑠 of 𝒫 is executed in a different transaction thatguards the execution of 𝑠 using a global lock (the lock can be implemented inour programming language as usual, e.g., using a busy wait loop for locking),and where reaching the location ℓ enables the execution of a “gadget” that corre-sponds to the SB program in Figure 3a. Executing each statement under a globallock ensures that every execution of 𝒫 ′ under CC is serializable, and faithfullyrepresents an execution of 𝒫 under sequential consistency. Moreover, 𝒫 reaches ℓ iff 𝒫 ′ contains a robustness violation, which is due to the SB execution. Corollary 2.
Checking robustness of a program with a fixed number of variablesand bounded data domain against CC relative to PC is PSPACE-complete whenthe number of processes is bounded and EXPSPACE-complete, otherwise. PC Relative to SI In this section, we show that checking robustness against PC relative to SI canbe reduced in polynomial time to a reachability problem under the SER seman-tics. We reuse the program transformation from the previous section that allowsto simulate PC behaviors on top of SER , and additionally, we provide a char-acterization of traces that distinguish the PC semantics from SI . We use this That is, the transaction is of the form [lock; 𝑠 ; unlock]6 S.M. Beillahi, A. Bouajjani, and C. Enea. characterization to define an instrumentation (monitor) that is able to detect ifa program under PC admits such traces.We show that the happens-before cycles in a robustness violation (against PC relative to SI ) must contain a WW dependency followed by a RW dependency,and they should not contain two successive RW dependencies. This follows fromthe fact that every happens-before cycle in a PC trace must contain either two suc-cessive RW dependencies, or a WW dependency followed by a RW dependency.Otherwise, the happens-before cycle would imply a cycle in the arbitration order.Then, any trace under PC where all its simple happens-before cycles contain twosuccessive RW dependencies is possible under SI . For instance, the trace of thenon-robust LU execution in Figure 3b contains WW dependency followed by a RW dependency and does not contain two successive RW dependencies which isdisallowed SI , while the trace of the robust WS execution in Figure 3c containstwo successive RW dependencies. As a first step, we prove the following theoremcharacterizing traces that are allowed under both PC and SI . Theorem 2.
A program 𝒫 is robust against PC relative to SI iff every happens-before cycle in a trace of 𝒫 under PC contains two successive RW dependencies. Before giving the proof of the above theorem, we state several intermediateresults that characterize cycles in PC or SI traces. First, we show that every PC trace in which all simple happens-before cycles contain two successive RW is alsoa SI trace. Lemma 5.
If a trace 𝜏 is PC and all happens-before cycles in 𝜏 contain twosuccessive RW dependencies, then 𝜏 is SI . The proof of Theorem 2 also relies on the following lemma that characterizeshappens-before cycles permissible under SI . Lemma 6. [12, 22] If a trace 𝜏 is SI , then all its happens-before cycles mustcontain two successive RW dependencies. Proof of Theorem 2: For the only-if direction, if 𝒫 is robust against PC relativeto SI then every trace 𝜏 of 𝒫 under PC is SI as well. Therefore, by Lemma 6, allcycles in 𝜏 contain two successive RW which concludes the proof of this direction.For the reverse, let 𝜏 be a trace of 𝒫 under PC such that all its happens-beforecycles contain two successive RW . Then, by Lemma 5, we have that 𝜏 is SI .Thus, every trace 𝜏 of 𝒫 under PC is SI . (cid:3) Next, we present an important lemma that characterizes happens before cy-cles possible under the PC semantics. This is a strengthening of a result in [12]which shows that all happens before cycles under PC must have two successive de-pendencies in { RW , WW } and at least one RW . We show that the two successivedependencies cannot be RW followed WW , or two successive WW . Lemma 7.
If a trace 𝜏 is PC then all happens-before cycles in 𝜏 must containeither two successive RW dependencies or a WW dependency followed by a RW dependency. Combining the results of Theorem 2 and Lemmas 4 and 7, we obtain the followingcharacterization of traces which violate robustness against PC relative to SI . hecking Robustness Between Weak Transactional Consistency Models 17 Theorem 3.
A program 𝒫 is not robust against PC relative to SI iff there existsa trace 𝜏 ♣ of 𝒫 ♣ under SER such that the trace 𝜏 obtained by merging read andwrite transactions in 𝜏 ♣ contains a happens-before cycle that does not containtwo successive RW dependencies, and it contains a WW dependency followed bya RW dependency. The results above enable a reduction from checking robustness against PC relativeto SI to a reachability problem under the SER semantics. For a program 𝒫 , wedefine an instrumentation denoted by [[ 𝒫 ]], such that 𝒫 is not robust against PC relative to SI iff [[ 𝒫 ]] violates an assertion under SER . The instrumentationconsists in rewriting every transaction of 𝒫 as shown in Figure 6. 𝛼 𝑡 𝛽 𝑡 𝛾 𝑡 RW HBWW
Fig. 5: Execution simulating a violationto robustness against PC relative to SI .The instrumentation [[ 𝒫 ]] runningunder SER simulates the PC semanticsof 𝒫 using the same idea of decou-pling the execution of the read partof a transaction from the write part.It violates an assertion when it simu-lates a PC trace containing a happens-before cycle as in Theorem 3. The execution corresponding to this trace has theshape given in Figure 5, where 𝑡 is the transaction that occurs between the WW and the RW dependencies, and every transaction executed after 𝑡 (thiscan be a full transaction in 𝒫 , or only the read or write part of a transaction in 𝒫 ) is related by a happens-before path to 𝑡 (otherwise, the execution of thistransaction can be reordered to occur before 𝑡 ). A transaction in 𝒫 can haveits read part included in 𝛼 and the write part included in 𝛽 or 𝛾 . Also, 𝛽 and 𝛾 may contain transactions in 𝒫 that executed only their read part. It is possiblethat 𝑡 = 𝑡 , 𝛽 = 𝛾 = 𝜖 , and 𝛼 = 𝜖 (the LU program shown in Figure 3b is anexample where this can happen). The instrumentation uses auxiliary variablesto track happens-before dependencies, which are explained below.The instrumentation executes (incomplete) transactions without affectingthe auxiliary variables (without tracking happens-before dependencies) (lines 3and 5) until a non-deterministically chosen point in time when it declares thecurrent transaction as the candidate for 𝑡 (line 9). Only one candidate for 𝑡 can be chosen during the execution. This transaction executes only its reads andit chooses non-deterministically a variable that it could write as a witness forthe WW dependency (see lines 16-22). The name of this variable is stored ina global variable varW (see the definition of ℐ ( x := e )). The writes are not applied on the shared memory. Intuitively, 𝑡 should be thought as a transactionwhose writes are delayed for later, after transaction 𝑡 in Figure 5 executed. Theinstrumentation checks that 𝑡 and 𝑡 can be connected by some happens-beforepath that includes the RW and WW dependencies, and that does not containtwo consecutive RW dependencies. If it is the case, it violates an assertion at thecommit point of 𝑡 . Since the write part of 𝑡 is intuitively delayed to executeafter 𝑡 , the process executing 𝑡 is disabled all along the execution (see the assume false ). This transformation has been defined at the beginning of Section 4.8 S.M. Beillahi, A. Bouajjani, and C. Enea.Transaction “ begin ⟨ read ⟩ * ⟨ test ⟩ * ⟨ write ⟩ * commit ” is rewritten to: if ( !done ) if ( * ) begin
A program 𝒫 is robust against PC relative to SI iff the instrumen-tation in Figure 6 does not violate an assertion when executed under SER . Theorem 4 implies the following complexity result for finite-state programs.The lower bound is proved similarly to the case CC vs PC . Corollary 3.
Checking robustness of a program with a fixed number of variablesand bounded data domain against PC relative to SI is PSPACE-complete whenthe number of processes is bounded and EXPSPACE-complete, otherwise. Checking robustness against CC relative to SI can be also shown to be re-ducible (in polynomial time) to a reachability problem under SER by combiningthe results of checking robustness against CC relative to PC and PC relative to SI . Theorem 5.
A program 𝒫 is robust against CC relative to SI iff 𝒫 is robustagainst CC relative to PC and 𝒫 is robust against PC relative to SI .Remark 1. Our reductions of robustness checking to reachability apply to anextension of our programming language where the number of processes is un-bounded and each process can execute an arbitrary number of times a staticallyknown set of transactions. This holds because the instrumentation in Figure 6and the one in [10] (for the case CC vs. SER ) consist in adding a set of instruc-tions that manipulate a fixed set of process-local or shared variables, which donot store process or transaction identifiers. These reductions extend also to SQLqueries that access unbounded size tables. Rows in a table can be interpretedas memory locations (identified by primary keys in unbounded domains, e.g.,integers), and SQL queries can be interpreted as instructions that read/writea set of locations in one shot. These possibly unbounded sets of locations canbe represented symbolically using the conditions in the SQL queries (e.g., thecondition in the WHERE part of a SELECT). The instrumentation in Figure 6needs to be adapted so that read and write sets are updated by adding sets oflocations for a given instruction (represented symbolically as mentioned above).
We describe an approximated technique for proving robustness, which leveragesthe concept of left/right mover in Lipton’s reduction theory [38]. This techniquereasons on the commutativity dependency graph [9] associated to the transforma-tion 𝒫 ♣ of an input program 𝒫 that allows to simulate the PC semantics underserializability (we use a slight variation of the original definition of this class ofgraphs). We characterize robustness against CC relative to PC and PC relative to SI in terms of certain properties that (simple) cycles in this graph must satisfy.We recall the concept of movers and the definition of commutativity de-pendency graphs. Given a program 𝒫 and a trace 𝜏 = 𝑡 · . . . · 𝑡 𝑛 ∈ T r SER ( 𝒫 )of 𝒫 under serializability, we say that 𝑡 𝑖 ∈ 𝜏 moves right (resp., left) in 𝜏 if 𝑡 · . . . · 𝑡 𝑖 − · 𝑡 𝑖 +1 · 𝑡 𝑖 · 𝑡 𝑖 +2 · . . . · 𝑡 𝑛 (resp., 𝑡 · . . . · 𝑡 𝑖 − · 𝑡 𝑖 · 𝑡 𝑖 − · 𝑡 𝑖 +1 · . . . · 𝑡 𝑛 )is also a valid execution of 𝒫 , 𝑡 𝑖 and 𝑡 𝑖 +1 (resp., 𝑡 𝑖 − ) are executed by distinctprocesses, and both traces reach the same end state. A transaction 𝑡 ∈ Tr ( 𝒫 ) isnot a right (resp., left) mover iff there exists a trace 𝜏 ∈ T r SER ( 𝒫 ) such that 𝑡 ∈ 𝜏 and 𝑡 doesn’t move right (resp., left) in 𝜏 . Thus, when a transaction 𝑡 is not aright mover then there must exist another transaction 𝑡 ′ ∈ 𝜏 which caused 𝑡 to hecking Robustness Between Weak Transactional Consistency Models 21 not be permutable to the right (while preserving the end state). Since 𝑡 and 𝑡 ′ do not commute, then this must be because of either a write-read, write-write,or a read-write dependency relation between the two transactions. We say that 𝑡 is not a right mover because of 𝑡 ′ and a dependency relation that is eitherwrite-read, write-write, or read-write. Notice that when 𝑡 is not a right moverbecause of 𝑡 ′ then 𝑡 ′ is not a left mover because of 𝑡 .We define M WR as a binary relation between transactions such that ( 𝑡, 𝑡 ′ ) ∈ M WR when 𝑡 is not a right mover because of 𝑡 ′ and a write-read dependency ( 𝑡 ′ reads some value written by 𝑡 ). We define the relations M WW and M RW corre-sponding to write-write and read-write dependencies in a similar way. We call M WR , M WW , and M RW , non-mover relations.The commutativity dependency graph of a program 𝒫 is a graph where ver-tices represent transactions in 𝒫 . Two vertices are linked by a program orderedge if the two transactions are executed by the same process. The other edgesin this graph represent the “non-mover” relations M WR , M WW , and M RW . Twovertices that represent the two components 𝑡 [ 𝑤 ] and 𝑡 [ 𝑟 ] of the same transaction 𝑡 (already linked by PO edge) are also linked by an undirected edge labeled by STO (same-transaction relation). [ 𝑥 = 1] 𝑡 𝑤 ] [ 𝑦 = 1] 𝑡 𝑤 ] [ 𝑟 𝑦 ] 𝑡 𝑟 ] [ 𝑟 𝑥 ] 𝑡 𝑟 ] PO M RW M WR M WR M RW PO Fig. 7: The commutativity dependencygraph of the MP ♣ program.Our results about the robust-ness of a program 𝒫 are stated overa slight variation of the commu-tativity dependency graph of 𝒫 ♣ (where a transaction is either read-only or write-only). This graph con-tains additional undirected edgesthat link every pair of transactions 𝑡 [ 𝑟 ] and 𝑡 [ 𝑤 ] of 𝒫 ♣ that were origi-nally components of the same transaction 𝑡 in 𝒫 . Given such a commutativitydependency graph, the robustness of 𝒫 is implied by the absence of cycles of spe-cific shapes. These cycles can be seen as an abstraction of potential robustnessviolations for the respective semantics (see Theorem 6 and Theorem 7). Figure 7pictures the commutativity dependency graph for the MP program. Since everytransaction in MP is singleton, the two programs MP and MP ♣ coincide.Using the characterization of robustness violations against CC relative to SER from [10] and the reduction in Theorem 1, we obtain the following result con-cerning the robustness against CC relative to PC . Theorem 6.
Given a program 𝒫 , if the commutativity dependency graph of theprogram 𝒫 ♣ does not contain a simple cycle formed by 𝑡 · · · 𝑡 𝑖 · · · 𝑡 𝑛 such that: – ( 𝑡 𝑛 , 𝑡 ) ∈ M RW ; – ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ ( PO ∪ WR ) * , for 𝑗 ∈ [1 , 𝑖 − ; – ( 𝑡 𝑖 , 𝑡 𝑖 +1 ) ∈ ( M RW ∪ M WW ) ; – ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ ( M RW ∪ M WW ∪ M WR ∪ PO ) , for 𝑗 ∈ [ 𝑖 + 1 , 𝑛 − .then 𝒫 is robust against CC relative to PC . Next we give the characterization of commutativity dependency graphs requiredfor proving robustness against PC relative to SI . Theorem 7.
Given a program 𝒫 , if the commutativity dependency graph of theprogram 𝒫 ♣ does not contain a simple cycle formed by 𝑡 · · · 𝑡 𝑛 such that: – ( 𝑡 𝑛 , 𝑡 ) ∈ M WW , ( 𝑡 , 𝑡 ) ∈ STO , and ( 𝑡 , 𝑡 ) ∈ M RW ; – ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ ( M RW ∪ M WW ∪ M WR ∪ PO ∪ STO ) * , for 𝑗 ∈ [3 , 𝑛 − ; – ∀ 𝑗 ∈ [2 , 𝑛 − . ∙ if ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ M RW then ( 𝑡 𝑗 +1 , 𝑡 𝑗 +2 ) ∈ ( M WR ∪ PO ∪ M WW ) ; ∙ if ( 𝑡 𝑗 +1 , 𝑡 𝑗 +2 ) ∈ M RW then ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ ( M WR ∪ PO ) . – ∀ 𝑗 ∈ [3 , 𝑛 − . if ( 𝑡 𝑗 +1 , 𝑡 𝑗 +2 ) ∈ STO and ( 𝑡 𝑗 +2 , 𝑡 𝑗 +3 ) ∈ M RW then ( 𝑡 𝑗 , 𝑡 𝑗 +1 ) ∈ M WW .then 𝒫 is robust against PC relative to SI . In Figure 7, we have three simple cycles in the graph: – ( 𝑡 𝑤 ] , 𝑡 𝑟 ]) ∈ M WR and ( 𝑡 𝑟 ] , 𝑡 𝑤 ]) ∈ M RW , – ( 𝑡 𝑤 ] , 𝑡 𝑟 ]) ∈ M WR and ( 𝑡 𝑟 ] , 𝑡 𝑤 ]) ∈ M RW , – ( 𝑡 𝑤 ] , 𝑡 𝑤 ]) ∈ PO , ( 𝑡 𝑤 ] , 𝑡 𝑟 ]) ∈ M WR , ( 𝑡 𝑟 ] , 𝑡 𝑟 ]) ∈ PO , and ( 𝑡 𝑟 ] , 𝑡 𝑤 ]) ∈ M RW .Notice that none of the cycles satisfies the properties in Theorems 6 and 7.Therefore, MP is robust against CC relative to PC and against PC relative to SI . Remark 2.
For programs that contain an unbounded number of processes, anunbounded number of instantiations of a fixed number of process “templates”,or unbounded loops with bodies that contain entire transactions, a sound ro-bustness check consists in applying Theorem 6 and Theorem 7 to (bounded)programs that contain two copies of each process template, and where eachloop is unfolded exactly two times. This holds because the mover relations are“static”, they do not depend on the context in which the transactions execute,and each cycle requiring more than two process instances or more than two loopiterations can be short-circuited to a cycle that exists also in the bounded pro-gram. Every outgoing edge from a third instance/iteration can also be takenfrom the second instance/iteration. Two copies/iterations are necessary in or-der to discover cycles between instances of the same transaction (the cycles inTheorem 6 and Theorem 7 are simple and cannot contain the same transactiontwice). These results extend easily to SQL queries as well because the notion ofmover is independent of particular classes of programs or instructions.
We evaluated our approach for checking robustness on 7 applications extractedfrom the literature on databases and distributed systems, and an applicationBetting designed by ourselves. Two applications were extracted from the OLTP-Bench benchmark [29]: a vote recording application (Vote) and a consumerreview application (Epinions). Three applications were obtained from Githubprojects (used also in [9, 18]): a distributed lock application for the Cassan-dra database (CassandraLock [23]), an application for recording trade activities(SimpleCurrencyExchange [47]), and a micro social media application (Twit-ter [48]). The last two applications are a movie ticketing application (FusionTicket) [33], hecking Robustness Between Weak Transactional Consistency Models 23 and a user subscription application inspired by the Twitter application (Sub-scription). Each application consists of a set of SQL transactions that can becalled an arbitrary number of times from an arbitrary number of processes. Forinstance, Subscription provides an AddUser transaction for adding a new userwith a given username and password, and a RemoveUser transaction for re-moving an existing user. (The examples in Figure 1 are particular variationsof FusionTicket, Twitter, and Betting.) We considered five variations of the ro-bustness problem: the three robustness problems we studied in this paper alongwith robustness against SI relative to SER and against CC relative to SER . Theartifacts are available in a GitHub repository [30].Table 2: Results of the experiments. The columns titled X - Y stand for the resultof applications robustness against X relative to Y . Application Transactions Robustness CC - PC PC - SI CC - SI SI - SER CC - SER
Betting 2 yes yes yes yes yesCassandraLock 3 yes yes yes yes yesEpinions 8 no yes no yes noFusionTicket 3 no no no yes noSimpleCurrencyExchange 4 yes yes yes yes yesSubscription 2 yes no no yes noTwitter 3 no no no yes noVote 1 yes yes yes no no
In the first part of the experiments, we check for robustness violations inbounded-size executions of a given application. For each application, we haveconstructed a client program with a fixed number of processes (2) and a fixednumber of transactions of the corresponding application (at most 2 transactionsper process). For each program and pair of consistency models, we check forrobustness violations using the reductions to reachability under
SER presentedin Section 4 and Section 5 in the case of pairs of weak consistency models, andthe reductions in [9, 10] when checking for robustness relative to
SER .We check for reachability (assertion violations) using the Boogie programverifier [8]. We model tables as unbounded maps in Boogie and SQL queries asfirst-order formulas over these maps (that may contain existential or universalquantifiers). To model the uniqueness of primary keys we use Boogie linear types.Table 2 reports the results of this experiment (cells filled with “no”) . Fiveapplications are not robust against at least one of the semantics relative to someother stronger semantics. The runtimes (wall-clock times) for the robustnesschecks are all under one second, and the memory consumption is around 50Megabytes. Concerning scalability, the reductions to reachability presented inSection 4 and Section 5 show that checking robustness is as hard as checkingreachability (the size of the instrumented program is only linear in the size ofthe original program). Therefore, checking robustness will also suffer from the The Twitter client in Table 2, which is not PC vs CC robust, is different from the onedescribed in Section 2. This client program consists of two processes, each executingFollowUser and AddTweet.4 S.M. Beillahi, A. Bouajjani, and C. Enea. classic state explosion problem when increasing the number of processes. On theother hand, increasing the number of transactions in a process does not seem tointroduce a large overhead. Increasing the number of transactions per process inthe clients of Epinions, FusionTicket, and SimpleCurrencyExchange from 2 to 5introduces a running time overhead of at most 25%.All the robustness violations we report correspond to violations of the in-tended specifications. For instance: (1) the robustness violation of Epinionsagainst CC relative to PC allows two users to update their ratings for a givenproduct and then when each user queries the overall rating of this product theydo not observe the latest rating that was given by the other user, (2) the ro-bustness violation of Subscription against PC relative to SI allows two users toregister new accounts with the same identifier, and (3) the robustness violationof Vote against SI relative to SER allows the same user to vote twice. The spec-ification violation in Twitter was reported in [18]. However, it was reported asviolation of a different robustness property ( CC relative to SER ) while our workshows that the violation persists when replacing a weak consistency model (e.g., SI ) with a weaker one (e.g. CC ). This implies that this specification violationis not present under SI (since it appears in the difference between CC and SI behaviors), which cannot be deduced from previous work.In the second part of the experiments, we used the technique described inSection 6, based on commutativity dependency graphs, to prove robustness. Foreach application (set of transactions) we considered a program that for eachordered pair of (possibly identical) transactions in the application, contains twoprocesses executing that pair of transactions. Following Remark 2, the robustnessof such a program implies the robustness of a most general client of the appli-cation that executes each transaction an arbitrary number of times and from anarbitrary number of processes. We focused on the cases where we could not findrobustness violations in the first part. To build the “non-mover” relations M WR , M WW , and M RW for the commutativity dependency graph, we use the left/rightmover check provided by the CIVL verifier [32]. The results are reported in Ta-ble 2, the cells filled with “yes”. We showed that the three applications Betting,CassandraLock and SimpleCurrencyExchange are robust against any semanticsrelative to some other stronger semantics. As mentioned earlier, all these ro-bustness results are established for arbitrarily large executions and clients withan arbitrary number of processes. For instance, the robustness of SimpleCur-rencyExchange ensures that when the exchange market owner observes a traderegistered by a user, they observe also all the other trades that were done bythis user in the past.In conclusion, our experiments show that the robustness checking techniqueswe present are effective in proving or disproving robustness of concrete applica-tions. Moreover, it shows that the robustness property for different combinationsof consistency models is a relevant design principle, that can help in choosingthe right consistency model for realistic applications, i.e., navigating the trade-off between consistency and performance (in general, weakening the consistencyleads to better performance). hecking Robustness Between Weak Transactional Consistency Models 25 The consistency models in this paper were studied in several recent works [13,15, 19, 20, 24, 42, 43]. Most of them focused on their operational and axiomaticformalizations. The formal definitions we use in this paper are based on thosegiven in [15, 24]. Biswas and Enea [13] shows that checking whether an executionis CC is polynomial time while checking whether it is PC or SI is NP-complete.The robustness problem we study in this paper has been investigated in thecontext of weak memory models, but only relative to sequential consistency,against Release/Aquire (RA), TSO and Power [14, 16, 28, 35]. Checking ro-bustness against CC and SI relative to SER has been investigated in [9, 10].In this work, we study the robustness problem between two weak consistencymodels, which poses different non-trivial challenges. In particular, previous workproposed reductions to reachability under sequential consistency (or
SER ) thatrelied on a concept of minimal robustness violations (w.r.t. an operational se-mantics), which does not apply in our case. The relationship between PC and SER is similar in spirit to the one given by Biswas and Enea [13] in the contextof checking whether an execution is PC . However, that relationship was provenin the context of a “weaker” notion of trace (containing only program order andread-from), and it does not extend to our notion of trace. For instance, thatresult does not imply preserving WW dependencies which is crucial in our case.Some works describe various over- or under-approximate analyses for check-ing robustness relative to SER . The works in [12, 17, 18, 25, 39] propose staticanalysis techniques based on computing an abstraction of the set of computa-tions, which is used for proving robustness. In particular, [18, 39] encode programexecutions under the weak consistency model using FOL formulas to describethe dependency relations between actions in the executions. These approachesmay return false alarms due to the abstractions they consider in their encoding.Note that in this paper, we prove a strengthening of the results of [12] withregard to the shape of happens before cycles allowed under PC .An alternative to trace-based robustness, is state-based robustness which re-quires that a program is robust if the sets of reachable states under two semanticscoincide. While state-robustness is the necessary and sufficient concept for pre-serving state-invariants, its verification, which amounts in computing the set ofreachable states under the weak semantics models is in general a hard problem.The decidability and the complexity of this problem has been investigated inthe context of relaxed memory models such as TSO and Power, and it has beenshown that it is either decidable but highly complex (non-primitive recursive), orundecidable [5, 6]. Automatic procedures for approximate reachability/invariantchecking have been proposed using either abstractions or bounded analyses, e.g.,[1, 4, 7, 27]. Proof methods have also been developed for verifying invariants inthe context of weakly consistent models such as [3, 31, 36, 40]. These methods,however, do not provide decision procedures. ibliography [1] Abdulla, P.A., Atig, M.F., Bouajjani, A., Ngo, T.P.: Context-bounded anal-ysis for POWER. In: Legay, A., Margaria, T. (eds.) Tools and Algorithmsfor the Construction and Analysis of Systems - 23rd International Confer-ence, TACAS 2017, Held as Part of the European Joint Conferences onTheory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April22-29, 2017, Proceedings, Part II. Lecture Notes in Computer Science,vol. 10206, pp. 56–74 (2017). https://doi.org/10.1007/978-3-662-54580-5 4, https://doi.org/10.1007/978-3-662-54580-5_4 [2] Adya, A.: Weak consistency: A generalized theory and optimistic imple-mentations for distributed transactions. Ph.D. thesis (1999)[3] Alglave, J., Cousot, P.: Ogre and pythia: an invariance proof method forweak consistency models. In: Castagna, G., Gordon, A.D. (eds.) Proceedingsof the 44th ACM SIGPLAN Symposium on Principles of ProgrammingLanguages, POPL 2017, Paris, France, January 18-20, 2017. pp. 3–18. ACM(2017), http://dl.acm.org/citation.cfm?id=3009883 [4] Alglave, J., Kroening, D., Tautschnig, M.: Partial orders for efficientbounded model checking of concurrent software. In: Sharygina, N., Veith,H. (eds.) Computer Aided Verification - 25th International Conference,CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings.Lecture Notes in Computer Science, vol. 8044, pp. 141–157. Springer(2013). https://doi.org/10.1007/978-3-642-39799-8 9, https://doi.org/10.1007/978-3-642-39799-8_9 [5] Atig, M.F., Bouajjani, A., Burckhardt, S., Musuvathi, M.: On theverification problem for weak memory models. In: Hermenegildo,M.V., Palsberg, J. (eds.) Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL2010, Madrid, Spain, January 17-23, 2010. pp. 7–18. ACM (2010).https://doi.org/10.1145/1706299.1706303, https://doi.org/10.1145/1706299.1706303 [6] Atig, M.F., Bouajjani, A., Burckhardt, S., Musuvathi, M.: What’s de-cidable about weak memory models? In: Seidl, H. (ed.) ProgrammingLanguages and Systems - 21st European Symposium on Programming,ESOP 2012, Held as Part of the European Joint Conferences on The-ory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24- April 1, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7211,pp. 26–46. Springer (2012). https://doi.org/10.1007/978-3-642-28869-2 2, https://doi.org/10.1007/978-3-642-28869-2_2 [7] Atig, M.F., Bouajjani, A., Parlato, G.: Getting rid of store-buffers in TSOanalysis. In: Gopalakrishnan, G., Qadeer, S. (eds.) Computer Aided Verifi-cation - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July14-20, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6806, hecking Robustness Between Weak Transactional Consistency Models 27 pp. 99–115. Springer (2011). https://doi.org/10.1007/978-3-642-22110-1 9, https://doi.org/10.1007/978-3-642-22110-1_9 [8] Barnett, M., Chang, B.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boo-gie: A modular reusable verifier for object-oriented programs. In: de Boer,F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Formal Meth-ods for Components and Objects, 4th International Symposium, FMCO2005, Amsterdam, The Netherlands, November 1-4, 2005, Revised Lec-tures. Lecture Notes in Computer Science, vol. 4111, pp. 364–387.Springer (2005). https://doi.org/10.1007/11804192 17, https://doi.org/10.1007/11804192_17 [9] Beillahi, S.M., Bouajjani, A., Enea, C.: Checking robustness against snap-shot isolation. In: Dillig, I., Tasiran, S. (eds.) Computer Aided Verifica-tion - 31st International Conference, CAV 2019, New York City, NY, USA,July 15-18, 2019, Proceedings, Part II. Lecture Notes in Computer Science,vol. 11562, pp. 286–304. Springer (2019). https://doi.org/10.1007/978-3-030-25543-5 17, https://doi.org/10.1007/978-3-030-25543-5_17 [10] Beillahi, S.M., Bouajjani, A., Enea, C.: Robustness against transactionalcausal consistency. In: Fokkink, W.J., van Glabbeek, R. (eds.) 30th In-ternational Conference on Concurrency Theory, CONCUR 2019, Au-gust 27-30, 2019, Amsterdam, the Netherlands. LIPIcs, vol. 140, pp.30:1–30:18. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik (2019).https://doi.org/10.4230/LIPIcs.CONCUR.2019.30, https://doi.org/10.4230/LIPIcs.CONCUR.2019.30 [11] Berenson, H., Bernstein, P.A., Gray, J., Melton, J., O’Neil, E.J., O’Neil,P.E.: A critique of ANSI SQL isolation levels. In: Carey, M.J., Schneider,D.A. (eds.) Proceedings of the 1995 ACM SIGMOD International Con-ference on Management of Data, San Jose, California, USA, May 22-25,1995. pp. 1–10. ACM Press (1995). https://doi.org/10.1145/223784.223785, https://doi.org/10.1145/223784.223785 [12] Bernardi, G., Gotsman, A.: Robustness against consistency mod-els with atomic visibility. In: Desharnais, J., Jagadeesan, R. (eds.)27th International Conference on Concurrency Theory, CONCUR 2016,August 23-26, 2016, Qu´ebec City, Canada. LIPIcs, vol. 59, pp.7:1–7:15. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik (2016).https://doi.org/10.4230/LIPIcs.CONCUR.2016.7, https://doi.org/10.4230/LIPIcs.CONCUR.2016.7 [13] Biswas, R., Enea, C.: On the complexity of checking transactional con-sistency. Proc. ACM Program. Lang. (OOPSLA), 165:1–165:28 (2019).https://doi.org/10.1145/3360591, https://doi.org/10.1145/3360591 [14] Bouajjani, A., Derevenetc, E., Meyer, R.: Checking and enforcing ro-bustness against TSO. In: Felleisen, M., Gardner, P. (eds.) ProgrammingLanguages and Systems - 22nd European Symposium on Programming,ESOP 2013, Held as Part of the European Joint Conferences on The-ory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24,2013. Proceedings. Lecture Notes in Computer Science, vol. 7792, pp. https://doi.org/10.1007/978-3-642-37036-6_29 [15] Bouajjani, A., Enea, C., Guerraoui, R., Hamza, J.: On verifying causal con-sistency. In: Castagna, G., Gordon, A.D. (eds.) Proceedings of the 44thACM SIGPLAN Symposium on Principles of Programming Languages,POPL 2017, Paris, France, January 18-20, 2017. pp. 626–638. ACM (2017), http://dl.acm.org/citation.cfm?id=3009888 [16] Bouajjani, A., Meyer, R., M¨ohlmann, E.: Deciding robustness againsttotal store ordering. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) Au-tomata, Languages and Programming - 38th International Colloquium,ICALP 2011, Zurich, Switzerland, July 4-8, 2011, Proceedings, Part II.Lecture Notes in Computer Science, vol. 6756, pp. 428–440. Springer(2011). https://doi.org/10.1007/978-3-642-22012-8 34, https://doi.org/10.1007/978-3-642-22012-8_34 [17] Brutschy, L., Dimitrov, D., M¨uller, P., Vechev, M.T.: Serializability for even-tual consistency: criterion, analysis, and applications. In: Castagna, G., Gor-don, A.D. (eds.) Proceedings of the 44th ACM SIGPLAN Symposium onPrinciples of Programming Languages, POPL 2017, Paris, France, January18-20, 2017. pp. 458–472. ACM (2017), http://dl.acm.org/citation.cfm?id=3009895 [18] Brutschy, L., Dimitrov, D., M¨uller, P., Vechev, M.T.: Static serializabilityanalysis for causal consistency. In: Foster, J.S., Grossman, D. (eds.) Proceed-ings of the 39th ACM SIGPLAN Conference on Programming Language De-sign and Implementation, PLDI 2018, Philadelphia, PA, USA, June 18-22,2018. pp. 90–104. ACM (2018). https://doi.org/10.1145/3192366.3192415, https://doi.org/10.1145/3192366.3192415 [19] Burckhardt, S.: Principles of eventual consistency. Found. Trends Program.Lang. (1-2), 1–150 (2014). https://doi.org/10.1561/2500000011, https://doi.org/10.1561/2500000011 [20] Burckhardt, S., Gotsman, A., Yang, H., Zawirski, M.: Replicated data types:specification, verification, optimality. In: Jagannathan, S., Sewell, P. (eds.)The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles ofProgramming Languages, POPL ’14, San Diego, CA, USA, January 20-21,2014. pp. 271–284. ACM (2014). https://doi.org/10.1145/2535838.2535848, https://doi.org/10.1145/2535838.2535848 [21] Burckhardt, S., Leijen, D., Protzenko, J., F¨ahndrich, M.: Global se-quence protocol: A robust abstraction for replicated shared state. In: Boy-land, J.T. (ed.) 29th European Conference on Object-Oriented Program-ming, ECOOP 2015, July 5-10, 2015, Prague, Czech Republic. LIPIcs,vol. 37, pp. 568–590. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Infor-matik (2015). https://doi.org/10.4230/LIPIcs.ECOOP.2015.568, https://doi.org/10.4230/LIPIcs.ECOOP.2015.568 [22] Cahill, M.J., R¨ohm, U., Fekete, A.D.: Serializable isolation forsnapshot databases. ACM Trans. Database Syst. (4), 20:1–20:42(2009). https://doi.org/10.1145/1620585.1620587, https://doi.org/10.1145/1620585.1620587 hecking Robustness Between Weak Transactional Consistency Models 29 [23] Cassandra-lock: https://github.com/dekses/cassandra-lock [24] Cerone, A., Bernardi, G., Gotsman, A.: A framework for transactionalconsistency models with atomic visibility. In: Aceto, L., de Frutos-Escrig, D. (eds.) 26th International Conference on Concurrency Theory,CONCUR 2015, Madrid, Spain, September 1.4, 2015. LIPIcs, vol. 42,pp. 58–71. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik (2015).https://doi.org/10.4230/LIPIcs.CONCUR.2015.58, https://doi.org/10.4230/LIPIcs.CONCUR.2015.58 [25] Cerone, A., Gotsman, A.: Analysing snapshot isolation. J. ACM (2),11:1–11:41 (2018). https://doi.org/10.1145/3152396, https://doi.org/10.1145/3152396 [26] Cerone, A., Gotsman, A., Yang, H.: Algebraic laws for weak consistency.In: Meyer, R., Nestmann, U. (eds.) 28th International Conference onConcurrency Theory, CONCUR 2017, September 5-8, 2017, Berlin, Ger-many. LIPIcs, vol. 85, pp. 26:1–26:18. Schloss Dagstuhl - Leibniz-Zentrumf¨ur Informatik (2017). https://doi.org/10.4230/LIPIcs.CONCUR.2017.26, https://doi.org/10.4230/LIPIcs.CONCUR.2017.26 [27] Dan, A.M., Meshman, Y., Vechev, M.T., Yahav, E.: Effective abstractionsfor verification under relaxed memory models. Comput. Lang. Syst. Struct. , 62–76 (2017). https://doi.org/10.1016/j.cl.2016.02.003, https://doi.org/10.1016/j.cl.2016.02.003 [28] Derevenetc, E., Meyer, R.: Robustness against power is pspace-complete.In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) Au-tomata, Languages, and Programming - 41st International Colloquium,ICALP 2014, Copenhagen, Denmark, July 8-11, 2014, Proceedings, PartII. Lecture Notes in Computer Science, vol. 8573, pp. 158–170. Springer(2014). https://doi.org/10.1007/978-3-662-43951-7 14, https://doi.org/10.1007/978-3-662-43951-7_14 [29] Difallah, D.E., Pavlo, A., Curino, C., Cudr´e-Mauroux, P.: Oltp-bench:An extensible testbed for benchmarking relational databases. Proc. VLDBEndow. (4), 277–288 (2013). https://doi.org/10.14778/2732240.2732246, [30] Experiments: https://github.com/relative-robustness/artifact [31] Gotsman, A., Yang, H., Ferreira, C., Najafzadeh, M., Shapiro, M.: ’causei’m strong enough: reasoning about consistency choices in distributed sys-tems. In: Bod´ık, R., Majumdar, R. (eds.) Proceedings of the 43rd AnnualACM SIGPLAN-SIGACT Symposium on Principles of Programming Lan-guages, POPL 2016, St. Petersburg, FL, USA, January 20 - 22, 2016. pp.371–384. ACM (2016). https://doi.org/10.1145/2837614.2837625, https://doi.org/10.1145/2837614.2837625 [32] Hawblitzel, C., Petrank, E., Qadeer, S., Tasiran, S.: Automated and modu-lar refinement reasoning for concurrent programs. In: Kroening, D., Pasare-anu, C.S. (eds.) Computer Aided Verification - 27th International Confer-ence, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings,Part II. Lecture Notes in Computer Science, vol. 9207, pp. 449–465. Springer (2015). https://doi.org/10.1007/978-3-319-21668-3 26, https://doi.org/10.1007/978-3-319-21668-3_26 [33] Holt, B., Bornholt, J., Zhang, I., Ports, D.R.K., Oskin, M., Ceze, L.: Dis-ciplined inconsistency with consistency types. In: Aguilera, M.K., Cooper,B., Diao, Y. (eds.) Proceedings of the Seventh ACM Symposium on CloudComputing, Santa Clara, CA, USA, October 5-7, 2016. pp. 279–293. ACM(2016). https://doi.org/10.1145/2987550.2987559, https://doi.org/10.1145/2987550.2987559 [34] Kozen, D.: Lower bounds for natural proof systems. In: 18th Annual Sym-posium on Foundations of Computer Science, Providence, Rhode Island,USA, 31 October - 1 November 1977. pp. 254–266. IEEE Computer Soci-ety (1977). https://doi.org/10.1109/SFCS.1977.16, https://doi.org/10.1109/SFCS.1977.16 [35] Lahav, O., Margalit, R.: Robustness against release/acquire semantics.In: McKinley, K.S., Fisher, K. (eds.) Proceedings of the 40th ACM SIG-PLAN Conference on Programming Language Design and Implementa-tion, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019. pp. 126–141. ACM(2019). https://doi.org/10.1145/3314221.3314604, https://doi.org/10.1145/3314221.3314604 [36] Lahav, O., Vafeiadis, V.: Owicki-gries reasoning for weak memory mod-els. In: Halld´orsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B.(eds.) Automata, Languages, and Programming - 42nd International Col-loquium, ICALP 2015, Kyoto, Japan, July 6-10, 2015, Proceedings, PartII. Lecture Notes in Computer Science, vol. 9135, pp. 311–323. Springer(2015). https://doi.org/10.1007/978-3-662-47666-6 25, https://doi.org/10.1007/978-3-662-47666-6_25 [37] Lamport, L.: Time, clocks, and the ordering of events in adistributed system. Commun. ACM (7), 558–565 (1978).https://doi.org/10.1145/359545.359563, https://doi.org/10.1145/359545.359563 [38] Lipton, R.J.: Reduction: A method of proving properties ofparallel programs. Commun. ACM (12), 717–721 (1975).https://doi.org/10.1145/361227.361234, https://doi.org/10.1145/361227.361234 [39] Nagar, K., Jagannathan, S.: Automated detection of serializability vi-olations under weak consistency. In: Schewe, S., Zhang, L. (eds.)29th International Conference on Concurrency Theory, CONCUR 2018,September 4-7, 2018, Beijing, China. LIPIcs, vol. 118, pp. 41:1–41:18. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik (2018).https://doi.org/10.4230/LIPIcs.CONCUR.2018.41, https://doi.org/10.4230/LIPIcs.CONCUR.2018.41 [40] Najafzadeh, M., Gotsman, A., Yang, H., Ferreira, C., Shapiro, M.: TheCISE tool: proving weakly-consistent applications correct. In: Alvaro,P., Bessani, A. (eds.) Proceedings of the 2nd Workshop on the Princi-ples and Practice of Consistency for Distributed Data, PaPoC@EuroSys2016, London, United Kingdom, April 18, 2016. pp. 2:1–2:3. ACM hecking Robustness Between Weak Transactional Consistency Models 31 (2016). https://doi.org/10.1145/2911151.2911160, https://doi.org/10.1145/2911151.2911160 [41] Papadimitriou, C.H.: The serializability of concurrent database updates.J. ACM (4), 631–653 (1979). https://doi.org/10.1145/322154.322158, https://doi.org/10.1145/322154.322158 [42] Perrin, M., Most´efaoui, A., Jard, C.: Causal consistency: beyond mem-ory. In: Asenjo, R., Harris, T. (eds.) Proceedings of the 21st ACM SIG-PLAN Symposium on Principles and Practice of Parallel Programming,PPoPP 2016, Barcelona, Spain, March 12-16, 2016. pp. 26:1–26:12. ACM(2016). https://doi.org/10.1145/2851141.2851170, https://doi.org/10.1145/2851141.2851170 [43] Raad, A., Lahav, O., Vafeiadis, V.: On the semantics of snapshot isolation.In: Enea, C., Piskac, R. (eds.) Verification, Model Checking, and AbstractInterpretation - 20th International Conference, VMCAI 2019, Cascais, Por-tugal, January 13-15, 2019, Proceedings. Lecture Notes in Computer Sci-ence, vol. 11388, pp. 1–23. Springer (2019). https://doi.org/10.1007/978-3-030-11245-5 1, https://doi.org/10.1007/978-3-030-11245-5_1 [44] Rackoff, C.: The covering and boundedness problems for vec-tor addition systems. Theor. Comput. Sci. , 223–231 (1978).https://doi.org/10.1016/0304-3975(78)90036-1, https://doi.org/10.1016/0304-3975(78)90036-1 [45] Shapiro, M., Ardekani, M.S., Petri, G.: Consistency in 3d. In: Deshar-nais, J., Jagadeesan, R. (eds.) 27th International Conference on Concur-rency Theory, CONCUR 2016, August 23-26, 2016, Qu´ebec City, Canada.LIPIcs, vol. 59, pp. 3:1–3:14. Schloss Dagstuhl - Leibniz-Zentrum f¨ur In-formatik (2016). https://doi.org/10.4230/LIPIcs.CONCUR.2016.3, https://doi.org/10.4230/LIPIcs.CONCUR.2016.3 [46] Shasha, D.E., Snir, M.: Efficient and correct execution of parallel programsthat share memory. ACM Trans. Program. Lang. Syst. (2), 282–312(1988). https://doi.org/10.1145/42190.42277, https://doi.org/10.1145/42190.42277 [47] Trade: https://github.com/Haiyan2/Trade [48] Twitter: https://github.com/edmundophie/cassandra-twitter Open Access
This chapter is licensed under the terms of the Creative CommonsAttribution 4.0 International License ( http://creativecommons.org/licenses/by/4.0/ ), which permits use, sharing, adaptation, distribution and reproduction in anymedium or format, as long as you give appropriate credit to the original author(s) andthe source, provide a link to the Creative Commons license and indicate if changeswere made.The images or other third party material in this chapter are included in the chapter’sCreative Commons license, unless indicated otherwise in a credit line to the material. Ifmaterial is not included in the chapter’s Creative Commons license and your intendeduse is not permitted by statutory regulation or exceeds the permitted use, you will needto obtain permission directly from the copyright holder.2 S.M. Beillahi, A. Bouajjani, and C. Enea.
A Proofs for Section 4
Proof (Proof of Lemma 1).
We start with the case X = CC . We first show that 𝜏 ♣ satisfies AxCausal and
AxArb . For
AxCausal , let 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } and 𝑡 ′ ∈{ 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } , such that ( 𝑡 ′ , 𝑡 ′ ) ∈ ( PO ♣ ∪ WR ♣ ) + . By the definition of CO ♣ ,we have that either ( 𝑡 ′ = 𝑡 [ 𝑟 ] , 𝑡 ′ = 𝑡 [ 𝑤 ]) ∈ PO ♣ and 𝑡 = 𝑡 or ( 𝑡 , 𝑡 ) ∈ ( PO ∪ WR ) + , which implies that ( 𝑡 , 𝑡 ) ∈ CO . In both cases we obtain that( 𝑡 ′ , 𝑡 ′ ) ∈ CO ♣ . The axiom AxCausal can be proved in a similar way.Next, we show that 𝜏 ♣ satisfies the property AxRetVal . Let 𝑡 be a transactionin 𝜏 that contains a read event re ( 𝑡, 𝑥, 𝑣 ). Let 𝑡 be the transaction in 𝜏 suchthat 𝑡 = 𝑀 𝑎𝑥
ARB ( { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } ) . The read value 𝑣 must have been written by 𝑡 since 𝜏 satisfies AxRetVal . Thus,the read re ( 𝑡, 𝑥, 𝑣 ) in 𝑡 [ 𝑟 ] of 𝜏 ♣ must return the value written by 𝑡 [ 𝑤 ]. From thedefinitions of CO ♣ and ARB ♣ , we get 𝑡 [ 𝑤 ] ∈ { 𝑡 ′ [ 𝑤 ] ∈ 𝜏 ♣ | ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ ∧ ∃ we ( 𝑡 ′ [ 𝑤 ] , 𝑥, · ) ∈ f ( 𝑡 ′ [ 𝑤 ]) } iff 𝑡 ∈ { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } because ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ implies ( 𝑡 , 𝑡 ) ∈ CO . Since ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ ARB ♣ implies ( 𝑡 , 𝑡 ) ∈ ARB , we also obtain that 𝑡 [ 𝑤 ] = 𝑀 𝑎𝑥
ARB ♣ ( { 𝑡 ′ [ 𝑤 ] ∈ 𝜏 ♣ | ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ ∧ ∃ we ( 𝑡 ′ [ 𝑤 ] , 𝑥, · ) ∈ f ( 𝑡 ′ [ 𝑤 ]) } )and since the read re ( 𝑡, 𝑥, 𝑣 ) in 𝑡 [ 𝑟 ] of 𝜏 ♣ returns the value written by 𝑡 [ 𝑤 ], 𝜏 ♣ satisfies AxRetVal .For the case X = PC , we show that 𝜏 ♣ satisfies the property AxPrefix (the otheraxioms are proved as in the case of CC ). Suppose we have ( 𝑡 ′ , 𝑡 ′ ) ∈ ARB ♣ and( 𝑡 ′ , 𝑡 ′ ) ∈ CO ♣ where 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } , 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } , and 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } .The are five cases to be discussed:1. ( 𝑡 ′ = 𝑡 [ 𝑟 ] , 𝑡 ′ = 𝑡 [ 𝑤 ]) ∈ PO ♣ and 𝑡 = 𝑡 and ( 𝑡 , 𝑡 ) ∈ CO ,2. ( 𝑡 , 𝑡 ) ∈ ARB and ( 𝑡 , 𝑡 ) ∈ CO ,3. ( 𝑡 , 𝑡 ) ∈ ARB and ( 𝑡 ′ = 𝑡 [ 𝑟 ] , 𝑡 ′ = 𝑡 [ 𝑤 ]) ∈ PO ♣ and 𝑡 = 𝑡 ,4. ( 𝑡 ′ = 𝑡 [ 𝑟 ] , 𝑡 ′ = 𝑡 [ 𝑤 ]) ∈ PO ♣ and 𝑡 = 𝑡 and ( 𝑡 , 𝑡 ) ∈ ARB and 𝑡 ′ = 𝑡 [ 𝑤 ],5. ( 𝑡 , 𝑡 ) ∈ ARB and ( 𝑡 , 𝑡 ) ∈ ARB and 𝑡 ′ = 𝑡 [ 𝑤 ].Cases (a) and (b) imply that ( 𝑡 , 𝑡 ) ∈ CO since ARB ; CO ⊂ ARB , which impliesthat ( 𝑡 ′ , 𝑡 ′ ) ∈ CO ♣ . Cases (c), (d), and (e) imply that ( 𝑡 , 𝑡 ) ∈ ARB and 𝑡 ′ = 𝑡 [ 𝑤 ] then we get that ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ and 𝑡 ′ = 𝑡 [ 𝑤 ] which meansthat ( 𝑡 ′ , 𝑡 ′ ) ∈ CO ♣ .Note that the rule ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ if ( 𝑡 , 𝑡 ) ∈ ARB cannot change thefact that 𝑡 [ 𝑤 ] ∈ { 𝑡 ′ [ 𝑤 ] ∈ 𝜏 ♣ | ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ ∧ ∃ we ( 𝑡 ′ [ 𝑤 ] , 𝑥, · ) ∈ f ( 𝑡 ′ [ 𝑤 ]) } hecking Robustness Between Weak Transactional Consistency Models 33 iff 𝑡 ∈ { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } Thus, the proof of
AxRetVal follows as in the previous case.For the case X = SI , we show that 𝜏 ♣ satisfies AxConflict . If ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ WW ♣ , then ( 𝑡 , 𝑡 ) ∈ WW ⊂ CO , which implies that ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ CO ♣ . There-fore, ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ CO ♣ , which concludes the proof. The axiom AxRetVal canbe proved as in the previous cases.
Proof (Proof of Lemma 2). ( ⇒ ) Let 𝜏 be a trace under CC . From AxCausal and
AxArb we get that
ARB +0 ⊂ ARB , and
ARB +0 is acyclic because ARB istotal order. Assume by contradiction that CO +0 ; RW is cyclic which implies that CO ; RW is cyclic since CO +0 ⊂ CO , which means that there exist 𝑡 and 𝑡 suchthat ( 𝑡 , 𝑡 ) ∈ CO and ( 𝑡 , 𝑡 ) ∈ RW . ( 𝑡 , 𝑡 ) ∈ RW implies that there exists 𝑡 such that ( 𝑡 , 𝑡 ) ∈ WW and ( 𝑡 , 𝑡 ) ∈ WR . Based on the definition of AxRetVal , 𝑡 has two possible instances: – 𝑡 corresponds to the ”fictional” transaction that wrote the initial valueswhich cannot be the case when ( 𝑡 , 𝑡 ) ∈ CO and 𝑡 writes to the samevariable that 𝑡 reads from, – 𝑡 is the last transaction that occurs before 𝑡 that writes the value readby 𝑡 , which means that ( 𝑡 , 𝑡 ) ∈ ARB which contradicts the fact that( 𝑡 , 𝑡 ) ∈ WW since WW ⊂ ARB .( ⇐ ) Let 𝜏 be a trace such that ARB +0 and CO +0 ; RW are acyclic. Then, wedefine the relations CO and ARB such that CO = CO +0 and ARB is any totalorder that includes
ARB +0 . Then, we obtain that ( CO ∪ WW ) + ⊂ ARB and CO ; RW is acyclic. Thus, 𝜏 satisfies the properties AxCausal and
AxArb . Next,we will show that 𝜏 satisfies AxRetVal . Let 𝑡 be a transaction in 𝜏 that containsa read event re ( 𝑡, 𝑥, 𝑣 ). Let 𝑡 be transaction in 𝜏 such that 𝑡 = 𝑀 𝑎𝑥
ARB ( { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } )then the read must return a value written by 𝑡 . Assume by contradiction thatthere exists some other transaction 𝑡 ̸ = 𝑡 such that ( 𝑡 , 𝑡 ) ∈ WR . Then, weget that ( 𝑡 , 𝑡 ) ∈ ARB and both write to 𝑥 , therefore, ( 𝑡 , 𝑡 ) ∈ WW since WW ⊂ ARB . Combining ( 𝑡 , 𝑡 ) ∈ WR and ( 𝑡 , 𝑡 ) ∈ WW we obtain ( 𝑡, 𝑡 ) ∈ RW and since ( 𝑡 , 𝑡 ) ∈ CO then we obtain that ( 𝑡, 𝑡 ) ∈ CO ; RW which contradicts thefact that CO ; RW is acyclic. Therefore, the read value was written by 𝑡 and 𝜏 satisfies AxRetVal . Proof (Proof of Lemma 3).
The only-if direction follows from Lemma 1. For theif direction: consider a trace 𝜏 ♣ which is CC . We prove by contradiction that 𝜏 must be CC as well. Assume that 𝜏 is not CC then it must contain a cycle ineither ARB +0 or CO +0 ; RW (based on Lemma 2). In the rest of the proof whenwe mention a cycle we implicitly refer to a cycle in either ARB +0 or CO +0 ; RW .Splitting every transaction 𝑡 ∈ 𝜏 in a trace to a pair of transactions 𝑡 [ 𝑟 ] and 𝑡 [ 𝑤 ] that occur in this order might not maintain a cycle of 𝜏 . However, we prove that this is not possible and our splitting conserves the cycle. Assume we havea vertex 𝑡 as part of the cycle. We show that 𝑡 can be split into two transactions 𝑡 [ 𝑟 ] and 𝑡 [ 𝑤 ] while maintaining the cycle. Note that 𝑡 is part of a cycle iff either1. ( 𝑡 , 𝑡 ) ∈ ARB and ( 𝑡, 𝑡 ) ∈ ARB or2. ( 𝑡 , 𝑡 ) ∈ CO and ( 𝑡, 𝑡 ) ∈ CO or3. ( 𝑡 , 𝑡 ) ∈ CO and ( 𝑡, 𝑡 ) ∈ RW or4. ( 𝑡 , 𝑡 ) ∈ RW and ( 𝑡, 𝑡 ) ∈ CO where 𝑡 and 𝑡 might refer to the same transaction. Thus, by splitting 𝑡 to 𝑡 [ 𝑟 ]and 𝑡 [ 𝑤 ], the above four cases imply that:1. if ( 𝑡 , 𝑡 ) ∈ CO and ( 𝑡, 𝑡 ) ∈ ARB then ( 𝑡 ′ , 𝑡 [ 𝑟 ]) ∈ ( PO ♣ ∪ WR ♣ ) and( 𝑡 [ 𝑤 ] , 𝑡 ′ ) ∈ ( PO ♣ ∪ WR ♣ ∪ WW ♣ ) where 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } and 𝑡 ′ ∈ { 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ] } .This maintains the vertices 𝑡 ′ and 𝑡 ′ connected in the cycle formed by thedependency relations of 𝜏 ♣ since ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ PO ♣ ;2. if ( 𝑡 , 𝑡 ) ∈ WW and ( 𝑡, 𝑡 ) ∈ ARB then ( 𝑡 ′ , 𝑡 [ 𝑤 ]) ∈ WW ♣ and ( 𝑡 [ 𝑤 ] , 𝑡 ′ ) ∈ ( PO ♣ ∪ WR ♣ ∪ WW ♣ ) which maintains the vertices 𝑡 ′ and 𝑡 ′ connected inthe cycle formed by the dependency relations of 𝜏 ♣ ;3. ( 𝑡 , 𝑡 ) ∈ CO and ( 𝑡 , 𝑡 ) ∈ RW then ( 𝑡 ′ , 𝑡 [ 𝑟 ]) ∈ ( PO ♣ ∪ WR ♣ ) and ( 𝑡 [ 𝑟 ] , 𝑡 ′ ) ∈ RW ♣ maintains the vertices 𝑡 ′ and 𝑡 ′ connected in the cycle formed by thedependency relations of 𝜏 ♣ ;4. ( 𝑡 , 𝑡 ) ∈ RW and ( 𝑡 , 𝑡 ) ∈ CO then ( 𝑡 ′ , 𝑡 [ 𝑤 ]) ∈ RW ♣ and ( 𝑡 [ 𝑤 ] , 𝑡 ′ ) ∈ ( PO ♣ ∪ WR ♣ ) which maintains the vertices 𝑡 ′ and 𝑡 ′ connected in the cycle formedby the dependency relations of 𝜏 ♣ as well.Therefore, doing the splitting creates a cycle in either ( PO ♣ ∪ WR ♣ ∪ WW ♣ ) + or ( PO ♣ ∪ WR ♣ ) + ; RW ♣ which implies that 𝜏 ♣ is not CC , a contradiction. Proof (Proof of Lemma 4). ( ⇐ ) Assume that 𝜏 ♣ is SER . We will show that 𝜏 is PC . Notice that if ( 𝑡 , 𝑡 ) ∈ CO +0 then ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ which impliesthat ( 𝑡 , 𝑡 ) ∈ CO . Similarly, if ( 𝑡 , 𝑡 ) ∈ ARB +0 then ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ ARB ♣ or( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ which implies that ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ ARB ♣ which in bothcases implies that ( 𝑡 , 𝑡 ) ∈ ARB . Thus, 𝜏 satisfies the properties AxCausal and
AxArb .Now assume that ( 𝑡 , 𝑡 ) ∈ ARB and ( 𝑡 , 𝑡 ) ∈ CO . We show that ( 𝑡 , 𝑡 ) ∈ CO . The assumption implies that ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ ARB ♣ and ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ , which means that ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ . Therefore, ( 𝑡 , 𝑡 ) ∈ CO and 𝜏 satisfies the property AxConflict .Concerning
AxRetVal , let 𝑡 be a transaction in 𝜏 that contains a read event re ( 𝑡, 𝑥, 𝑣 ). Let 𝑡 be transaction in 𝜏 such that 𝑡 = 𝑀 𝑎𝑥
ARB ( { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } ) . We show that the read must return a value written by 𝑡 . The definitions of CO and ARB imply that 𝑡 [ 𝑤 ] ∈ { 𝑡 ′ [ 𝑤 ] ∈ 𝜏 ♣ | ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ ∧ ∃ we ( 𝑡 ′ [ 𝑤 ] , 𝑥, · ) ∈ f ( 𝑡 ′ [ 𝑤 ]) } hecking Robustness Between Weak Transactional Consistency Models 35 iff 𝑡 ∈ { 𝑡 ′ ∈ 𝜏 | ( 𝑡 ′ , 𝑡 ) ∈ CO ∧ ∃ we ( 𝑡 ′ , 𝑥, · ) ∈ f ( 𝑡 ′ ) } because ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ implies ( 𝑡 , 𝑡 ) ∈ CO . Then, we obtain that 𝑡 [ 𝑤 ] = 𝑀 𝑎𝑥
ARB ♣ ( { 𝑡 ′ [ 𝑤 ] ∈ 𝜏 ♣ | ( 𝑡 ′ [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ ARB ♣ ∧∃ we ( 𝑡 ′ [ 𝑤 ] , 𝑥, · ) ∈ f ( 𝑡 ′ [ 𝑤 ]) } )and since 𝜏 ♣ is SER we know that the read must return the value written by 𝑡 [ 𝑤 ].Thus, the read returns the value written by 𝑡 , which implies that 𝜏 satisfies AxRetVal holds. Therefore, 𝜏 is PC .( ⇒ ) Assume that 𝜏 is PC . We show that 𝜏 ♣ is SER . Since 𝜏 ♣ is the resultof splitting transactions, a cycle in its dependency relations can only originatefrom a cycle in 𝜏 . Therefore, it is sufficient to show that any happens-beforecycle in 𝜏 is broken in 𝜏 ♣ . From Lemma 7, we have that 𝜏 either does not admita happens-before cycle or any (simple) happens-before cycle in 𝜏 must haveeither two successive RW dependencies or a WW dependency followed by a RW dependency. If 𝜏 does not admit a happens-before cycle then it is SER , and 𝜏 ♣ is trivially SER (since splitting transactions cannot introduce new cycles). 𝑡 𝑡 𝑡 = ⇒ 𝑡 [ 𝑟 ] 𝑡 [ 𝑤 ] 𝑡 [ 𝑟 ] 𝑡 [ 𝑤 ] 𝑡 [ 𝑟 ] 𝑡 [ 𝑤 ] WW ∪ RW RWHB PO ♣ WW ♣ RW ♣ PO ♣ RW ♣ PO ♣ Otherwise, if 𝜏 admits a happens-before cycle like above, then 𝜏 must containthree transactions 𝑡 , 𝑡 , and 𝑡 such that ( 𝑡 , 𝑡 ) ∈ WW ∪ RW , ( 𝑡 , 𝑡 ) ∈ RW , and( 𝑡 , 𝑡 ) ∈ HB (like in the picture above). Then, by splitting transactions we obtainthat ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑤 ]) ∈ WW ♣ or ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ RW ♣ , and ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ RW ♣ .Since, we have ( 𝑡 [ 𝑟 ] , 𝑡 [ 𝑤 ]) ∈ PO ♣ (and not ( 𝑡 [ 𝑤 ] , 𝑡 [ 𝑟 ]) ∈ PO ♣ ), this cannotlead to a cycle in 𝜏 ♣ , which concludes the proof that 𝜏 ♣ is SER
B Proofs for Section 5
Proof (Proof of Lemma 5).
Let
ARB be a total order that includes ARB +0 and ARB +0 ; RW ; ARB * ( ARB * is the reflexive closure of ARB ). This is well definedbecause there exists no cycle between tuples in these two relations. Indeed, if( 𝑡 , 𝑡 ) ∈ ARB +0 and there exist 𝑡 and 𝑡 such that ( 𝑡 , 𝑡 ) ∈ ARB +0 , ( 𝑡 , 𝑡 ) ∈ RW , and ( 𝑡 , 𝑡 ) ∈ ARB * , then we have a cycle in ARB +0 ; RW that does notcontain two successive RW dependencies, which contradicts the hypothesis. Also,for every pair of transactions ( 𝑡 , 𝑡 ) there cannot exist 𝑡 and 𝑡 such that( 𝑡 , 𝑡 ) ∈ ARB +0 , ( 𝑡 , 𝑡 ) ∈ RW and ( 𝑡 , 𝑡 ) ∈ ARB * and 𝑡 ′ and 𝑡 ′ such that( 𝑡 , 𝑡 ′ ) ∈ ARB +0 , ( 𝑡 ′ , 𝑡 ′ ) ∈ RW and ( 𝑡 ′ , 𝑡 ) ∈ ARB * This will imply a cycle in
ARB +0 ; RW ; ARB +0 ; RW which again contradicts thehypothesis. Also, let CO be the smallest transitive relation that includes ARB +0 and ARB ; ARB +0 . We show that CO and ARB are causal and arbitrationorders of 𝜏 that satisfy all the axioms of SI . AxCausal and
AxArb hold trivially. Since WW ⊆ CO , AxConflict holds aswell.
AxPC holds because
ARB ; CO = ARB ; ( ARB +0 ∪ ARB ; ARB +0 ) + = ARB ; ARB +0 ⊂ CO .The axiom AxRetVal is equivalent to the acyclicity of CO ; RW when AxCausal and
AxArb hold. Assume by contradiction that CO ; RW is cyclic. From thedefinition of CO and the fact that ARB is total order we obtain that either: – ARB +0 ; RW is cyclic, which implies that there exists a happens-before cyclethat does not contain two successive RW , which contradicts the hypothesis,or – ARB ; ARB +0 ; RW is cyclic, which implies that there exist 𝑡 , 𝑡 , and 𝑡 suchthat ( 𝑡 , 𝑡 ) ∈ ARB +0 , ( 𝑡 , 𝑡 ) ∈ RW and ( 𝑡 , 𝑡 ) ∈ ARB . This contradictsthe fact that ( 𝑡 , 𝑡 ) ∈ ARB +0 and ( 𝑡 , 𝑡 ) ∈ RW implies ( 𝑡 , 𝑡 ) ∈ ARB .Therefore, 𝜏 satisfies AxRetVal for CO and ARB , which concludes the proof.Next, we present an important lemma that characterizes happens before cy-cles possible under the PC semantics. This is a strengthening of a result in [12]which shows that all happens before cycles under PC must have two successive de-pendencies in { RW , WW } and at least one RW . We show that the two successivedependencies cannot be RW followed WW , or two successive WW . Proof (Proof of Lemma 7).
It was shown in [12] that all happens-before cyclesunder PC must contain two successive dependencies in { RW , WW } and at leastone RW . Assume by contradiction that there exists a cycle with RW dependencyfollowed by WW dependency or two successive WW dependencies. This cyclemust contain at least one additional dependency. Otherwise, the cycle wouldalso have a WW dependency followed by a RW dependency, or it would implya cycle in WW , which is not possible (since WW ⊂ ARB and
ARB is a totalorder). Then, we get that the dependency just before RW is either PO or WR (i.e., CO ) since we cannot have RW or WW followed by RW . Also, the relationafter WW is either PO or WR or WW (i.e., ARB ) since we cannot have WW followed by RW . Thus, the cycle has the following shape: 𝑡 𝑡 𝑡 𝑡 · · · 𝑡 𝑖 𝑡 𝑖 +1 𝑡 𝑖 +2 𝑡 𝑖 +3 · · · 𝑡 𝑛 − 𝑡 𝑛 − 𝑡 𝑛 − 𝑡 𝑛 − 𝑡 𝑛 RW WW
ARB CO RW WW CO RW WW
ARB CO Since CO ; RW ⊆ ARB is a consequence of the PC axioms [26], we get that( 𝑡 𝑛 , 𝑡 ) ∈ ARB , ( 𝑡 𝑖 , 𝑡 𝑖 +2 ) ∈ ARB and ( 𝑡 𝑛 − , 𝑡 𝑛 − ) ∈ ARB , which allows to“short-circuit” the cycle. Using the fact that WW ⊂ ARB , CO ⊂ ARB , and
ARB ⊂ ARB , and applying the short-circuiting process multiple times, weobtain a cycle in the arbitration order
ARB which contradicts the fact that
ARB is a total order. hecking Robustness Between Weak Transactional Consistency Models 37
Proof (Proof of Theorem 5).
For the only-if direction: assume that 𝒫 is robustagainst CC relative to SI . Then, the set of traces of 𝒫 under the two consistencymodels coincide. Since the set of traces under SI is subset of the one under PC ,then the set of traces under CC is subset of the one under PC . This implies that 𝒫 is robust against CC relative to PC . Thus, we obtain that the set of traces of 𝒫 under the three consistency models coincide. Therefore, 𝒫 is robust against PC relative to SI as well.For the if direction: assume that 𝒫 is robust against CC relative to PC and 𝒫 is robust against PC relative to SI . Then, the set of traces of 𝒫 under thethree consistency models coincide. Thus, we obtain that 𝒫 is robust against CC relative to SI . C Proofs for Section 6
Proof (Proof of Theorem 6).
It is enough to show: if 𝒫 is not robust against CC relative to PC then we have a simple cycle in the commutativity dependencygraph of 𝒫 ♣ of the form above. Assume 𝒫 is not robust against CC relativeto PC . Then, from Theorem 1, we obtain 𝒫 ♣ is not robust against CC relativeto SER . Also it was shown in [10] that if a program is not robust then theremust exist a robustness violation trace ( CC relative to SER ) 𝜏 ♣ of the shape 𝜏 ♣ = 𝛼 · 𝑡 · 𝛽 · 𝑡 𝑖 · 𝑡 𝑖 +1 · 𝛾 · 𝑡 𝑛 where ( 𝑡 , 𝑡 𝑖 ) ∈ ( PO ∪ WR ) + , ( 𝑡 𝑖 , 𝑡 𝑖 +1 ) ∈ ( WW ∪ RW ),( 𝑡 𝑖 +1 , 𝑡 𝑛 ) ∈ HB , and ( 𝑡 𝑛 , 𝑡 ) ∈ RW . Note that since transactions in the trace 𝜏 ♣ can either be read-only or write-only. Then, ( 𝑡 𝑖 , 𝑡 𝑖 +1 ) ∈ ( WW ∪ RW ) and( 𝑡 𝑛 , 𝑡 ) ∈ RW imply that 𝑡 and 𝑡 𝑖 +1 must be a write-only transactions and 𝑡 𝑛 must be a read-only transaction. Note that we may have 𝛽 = 𝛾 = 𝜖 as the casefor the trace of the SB program given in Figure 3a.We consider first the general case when 𝑡 ̸≡ 𝑡 . The other case can be provedin the same way.Consider the prefix 𝜏 𝑝 of 𝜏 ♣ : 𝜏 𝑝 = 𝛼 · 𝑡 · 𝛽 · 𝑡 𝑖 where ( 𝑡 , 𝑡 𝑖 ) ∈ ( PO ∪ WR ) + which is a SER trace of 𝒫 ♣ . Then, we have a sequence of transactions from 𝑡 to 𝑡 𝑖 that are related by either PO or WR . In the case two transactions areonly related by WR , then the first transaction is not a right mover because of thesecond transaction reads from a write in the first transaction. Thus, we can relatethe two transactions using the relation M WR in the commutativity dependencygraph.Similarly consider the following trace 𝜏 𝑠 extracted from 𝜏 ♣ : 𝜏 𝑠 = 𝛼 · 𝑡 𝑖 +1 · 𝛾 · 𝑡 𝑛 where ( 𝑡 𝑖 +1 , 𝑡 𝑛 ) ∈ HB which is a SER trace of 𝒫 ♣ . Similar to before, we have asequence of transactions from 𝑡 𝑖 +1 to 𝑡 𝑛 that are related by either PO , WR , WW , or RW . For any two transactions that are related only by either WR , WW ,or RW , this implies that the first transaction is not a right mover because ofthe second transaction and a write-read, write-write, or read-write dependencybetween the two, respectively. Thus, we can relate the two transactions usingeither M WR , M WW , or M RW , respectively.Now consider the following trace 𝜏 extracted from 𝜏 ♣ : 𝜏 = 𝛼 · 𝑡 · 𝛽 · 𝑡 𝑖 · 𝑡 𝑖 +1 where ( 𝑡 𝑖 , 𝑡 𝑖 +1 ) ∈ ( WW ∪ RW ) is a SER trace of 𝒫 ♣ . Because 𝑡 𝑖 and 𝑡 𝑖 +1 are related by either WW or RW , then 𝑡 𝑖 is not a right mover because of 𝑡 𝑖 +1 anda write-write or read-write dependency between the two, respectively. Thus, wecan relate the two transactions using either M WW or M RW , respectively.Finally, consider the following trace 𝜏 extracted from 𝜏 ♣ : 𝜏 = 𝛼 · 𝑡 𝑖 +1 · 𝛾 · 𝑡 𝑛 · 𝑡 where ( 𝑡 𝑛 , 𝑡 ) ∈ RW is a SER trace of 𝒫 ♣ . Because 𝑡 𝑛 and 𝑡 are related by RW ,then 𝑡 𝑛 is not a right mover because of 𝑡 and a read-write dependency betweenthe two. Thus, we can relate the two transactions using M RW . Proof (Proof of Theorem 7).
Similar to before it is enough to show: if 𝒫 is notrobust against PC relative to SI then we have a simple cycle in the commutativitydependency graph of 𝒫 ♣ of the form above. Assume 𝒫 is not robust against PC relative to SI . Then, from Theorem 4, we obtain that if [[ 𝒫 ]] reaches anerror state under SER then we will have the following trace 𝜏 under SER : 𝜏 = 𝛼 · 𝑡 [ 𝑟 ] · 𝑡 · 𝛽 · 𝑡 𝑛 · 𝑡 [ 𝑤 ] where ( 𝑡 [ 𝑟 ] , 𝑡 ) ∈ RW , ( 𝑡 , 𝑡 𝑛 ) ∈ HB , ( 𝑡 𝑛 , 𝑡 [ 𝑤 ]) ∈ WW ,and we don’t have two successive RW in the happens before between 𝑡 and 𝑡 𝑛 .In 𝜏 , 𝑡 [ 𝑤 ] (resp., 𝑡 [ 𝑟 ]) represents 𝑡 (resp., 𝑡 ) in the theorem statement. Notethat we may have 𝛼 = 𝛽 = 𝜖 as is the case of the transformed LU program givenin Figure 4. The construction of the cycle in the commutativity dependencygraph follows the same procedure taken in the proof of Theorem 6. The onlydifference is that for every two transactions of 𝜏 that are part of the happensbefore between 𝑡 and 𝑡 𝑛 , if the two are not connected by either PO , WR , WW ,or RW then they must be the reads and writes of the same original transactionin 𝒫 . In this case, in the commutativity dependency graph we have the twotransactions related by STO . For simplicity, we assume here that after reaching the error state we execute thewrites of 𝑡 , i.e., 𝑡 [ 𝑤𝑤